Access Control Security (Login/Logon-Logout/Logoff)
- System managers are responsible for ensuring that each computer system for which they are responsible has at least one access coordinator.
- The access coordinator for each computer system will assign a unique electronic identifier (ID) to each user of the computer system.
- Under circumstances when a password is required, each user will establish a password, known only to him/her. The individual user will be responsible for the confidentiality of the password and for any breaches of security committed via access gained through his/her password or other electronic identifier.
- Each system manager is responsible for the development of mechanisms that require a user to change his/her password at regular intervals if the user’s ID and password provide access to information technology resources or confidential and/or sensitive information.
- System managers are responsible for publicizing the procedure for changing passwords.
- Each access coordinator is responsible for notifying the appropriate system manager and revoking the relevant electronic identifier (ID) when a user no longer requires access to the information resources managed by the system manager.
- System and data managers, as applicable, will conduct and document a risk analysis for each system for which he/she has responsibility and based on that risk analysis, implement any time-out mechanisms that are warranted.