Last updated - December, 2024

Purpose

Authentication mechanisms such as passwords are the primary means of protecting computer systems and data access. These authenticators must be strongly constructed and used in a manner that prevents their compromise. Authentication is a cornerstone of our security framework, ensuring only authorized users access critical systems and data.

Scope

This policy applies to all passwords and other authentication methods used on the MAM as well as internal access to remote servers and databases. It also encompasses authentication processes for integrations, APIs, and third-party applications connected to the system.

Policy

  1. Access to all club data not intended for unrestricted public access requires authentication.
  2. Passwords and other authenticators must be constructed to have a resistance to attack commensurate with the level of system or data access granted to the account.
  3. Systems must be designed and configured to protect passwords during storage and transmission.
  4. No one may require another to share the password to an account, for example as a condition of employment or to provide technical support.
  5. Different user types define the different levels of permission (admin, viewer, partner).
  6. Sensitive information (such as passwords) is salted and hashed before storage.
  7. Access to customer data is restricted internally on a need-to-know basis.
  8. Our AWS architecture runs in a private network which is not accessible from the internet. Only specific endpoints (like our API) can be accessed from the internet and require authentication.
  9. We use multi-factor authentication (MFA) for all employees to access our systems. Customers are also encouraged to enable MFA for their accounts where available.

Responsibilities

  1. All members of each club are responsible for any activity that occurs due to the use of authentication methods issued to them.
  2. All members of each club are responsible for protecting the password or authentication method associated with an individually assigned account. Passwords may not be shared or disclosed to anyone else. This includes refraining from writing down passwords or storing them in insecure locations.
  3. All members of each club are responsible for reporting any suspicious use of assigned authentication mechanisms. Anyone who reasonably believes his or her password to be known by anyone else must change it immediately. Lost or stolen authentication devices are to be reported immediately.
  4. The Chief Technological Officer is responsible for implementing systems and specifications to facilitate unit compliance with this policy.