PURPOSE

Authentication mechanisms such as passwords are the primary means of protecting access to computer systems and data. It is essential that these authenticators be strongly constructed and used in a manner that prevents their compromise.

SCOPE:

This policy applies to all passwords and other authentication methods used on the MAM as well as internal access to remote servers and databases.

POLICY:

  1. Access to all club data not intended for unrestricted public access requires authentication.
  2. Passwords and other authenticators must be constructed to have a resistance to attack commensurate with the level of system or data access granted to the account.
  3. Systems must be designed and configured to protect passwords during storage and transmission.
  4. No one may require another to share the password to an account, for example as a condition of employment or in order to provide technical support.
  5. Different user types define the different levels of permission (admin, viewer, partner).
  6. Sensitive information (such as passwords) is salted and hashed before being stored.
  7. Servers and database accesses are controlled via AWS security keys, the Chief Technological Officer controls the master key, employee have keys to manage systems without being able to view / edit customer data.
  8. Our network ip addresses are whitelisted in order to access our AWS admin console, all other are blocked.
  9. We use two-step authentication for all employees to access our systems.

RESPONSIBILITIES:

  1. All members of each club are responsible for any activity that occurs as a result of the use of authentication methods issued to them.
  2. All members of each club are responsible for protecting the password or authentication method associated with an individually assigned account. Passwords may not be shared or disclosed to anyone else.
  3. All members of each club are responsible for reporting any suspicious use of assigned authentication mechanisms. Anyone that reasonably believes his or her password to be known by anyone else must change it immediately. Lost or stolen authentication devices are to be reported immediately.
  4. The Chief Technological Officer is responsible for implementing systems and specifications to facilitate unit compliance with this policy.