Section 3: Access ControlAnchor: #i1057778
Controlling access into a system (internal or external to the agency, wired or wireless, on premises or remote) provides necessary protection for information assets and the environment in which they reside. There are multiple ways to protect these points of entry. Commonly known as access controls, these protections allow entry only to individuals or systems with prior approval who have a declared need, and to whom access has been extended. TxDOT uses multiple tools in various formats—physical and virtual locks—to authorize entry. This section establishes how TxDOT uses access control as part of its Intrusion Prevention Policy and describes the minimum protocols and responsibilities that must be in place to effectively control access. It provides a system-based method to address the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #i1022431
TxDOT will safeguard information assets and the environments where they are stored. This includes controlling access as well as the flow of information. Controlled access can be both physical and logical. Examples of physical access include posting security guards at building entrances while an example of logical access is designating user identification (IDs) for login into the TxDOT network. Controlling the flow of information includes allowing individuals on a system and allowing systems to read and write to one another through their connections. Control mechanisms must be applied to applications, servers, databases, and network devices. Examples of these mechanisms already in use at TxDOT are session limits (such as a web page expiring), lockout features (requires authenticated individual to log in again after a defined period of inactivity,) and account expirations (such as passwords needing to be reset after a designated amount of time).
Notification. Electronic forms and notices on systems, commonly called “splash screens,” let individuals know about applicable laws, statutes, and agency policies. TxDOT provides a system notice to all individuals and maintains signed access agreements and similar documentation as stipulated in its Records Retention Schedule.
Types of Access. TxDOT follows the principle of Least Privilege, regardless of the type of access an authorized person or system seeks. This principle designates that the access granted will not exceed the necessary allowances required for specific duties or tasks. For example, a system that must read information from a secondary source will not be allowed to write information to the secondary source. This principle applies to all types of access including remote access, media access, external access, service accounts, and even physical access such as badged entries.
Remote or External Access. All remote and external access to the network must occur through a virtual private network, commonly referred to as a VPN. Often described as a secured tunnel, VPNs allow authorized individuals to extend a secured network onto a public network. The tunnel protects the information that travels inside of it. Public services must be used outside the network perimeter. External devices trying to connect to the network can be assessed for potential threats before they are allowed inside the perimeter.Anchor: #i1022445
All individual users of TxDOT information resources must remain in compliance with the access control boundaries. Certain key roles have additional responsibilities listed below.
Administrators. Individuals and business units who administer TxDOT servers, networks, domains and applications must:
- grant access on the principle
of least privilege when both the:
- the information owner has authorized an individual to gain access and
- individual consents to adhere to all of TxDOT’s information security policies.
- maintain lists of all domains, groups, and individuals with authorized access to TxDOT's information environment
- maintain a list of all interfaces
- maintain access logs for auditing purposes
- notify individuals of externally facing systems that they are on a TxDOT asset used for state business
- inform the Information Security Office when resources are out of compliance with policy
Information Owners. The designated owners of business processes must:
- authorize access rights
- grant access rights to individuals who consent to all of TxDOT’s information security policies.
- bases access rights according to the Principle of Least Privilege
- classify information to determine what security controls are necessary to best protect it.
Information Security Officer must:
- oversee and implement security controls within TxDOT information systems
- ensure external information systems containing TxDOT information meet intrusion prevention protection that is equivalent to this policy
- ensure individuals comply with the access control boundaries issued in the Intrusion Prevention Policy.
Compliance and Standards
See the “Network Access Standard” in the Information Security Standards manual for a a list of the minimum standards necessary to comply with this objective of the Intrusion Prevention Policy