pCMA Control - Access Control Design & Access Management

Control Register AC01 | Information Systems and devices have appropriate authentication mechanisms | a) All Information Systems apply an appropriate authentication mechanism to authenticate a user. - Exception is RT3 systems that only provide access to Public Business Information (anonymous access is permitted). - Where technically feasible, Novartis managed systems leverage central identity federation, Single Sign-On (SSO), or Identity and Access Management (IAM) platforms. - Where technically feasible, systems hosted by Third Parties, e.g. cloud systems, leverage Novartis provided identities and accounts through Novartis identity federation (or equivalent solutions) for Novartis users. b) All Novartis owned PCs and other devices (e.g. smart phones or tablets) holding Novartis Business Information or providing access to Novartis Business Information have an authentication mechanism at start up or reboot which is technically enforced. - For PCs (desktop, laptop, virtual PC) this is the Active Directory credentials or biometrics. - For smartphones and tablets this is minimally a 6 digit pin code or biometrics. -- | -- | -- AC02 | One-factor password authentication enforces password length and complexity | a) Non-Privileged Accounts have a minimum password length of 8 characters, technically enforced. b) Privileged Accounts have a minimum password length of 14 characters, where technically feasible this is technically enforced, otherwise there is appropriate procedural or operational control. c) Where technically feasible, Information Systems allow a password length of up to 64 characters (where possible, no limit should be set to the password length). d) Password complexity enforces the use of minimum three of the four character groups, lowercase, uppercase, numeric, and non-alphanumeric. e) Where technically feasible, during password creation, verifiers compare the prospective new password against a list that contains values known to be commonly-used, expected, or compromised. If the prospective new password is on the list, the user is forced to choose a different password. The list may include for example: passwords obtained from previous breach corpuses, repetitive or sequential characters, context-specific words, such as the name of the service, the username, and derivatives thereof. f) When passwords are changed, the following rules are applied, and enforced where technically feasible: - The new password, passphrase or passcode cannot be the same as the 10 previous passwords (password history). - Systems do not allow a user to change their password more than once a day (i.e. password age setting is set to > 1 day). Note: For Digital Assets this control only applies where technically feasible. AC03 | Multifactor authentication is in place where access has a higher risk | a) Multifactor authentication is implemented for access to Strictly Confidential, Vital Integrity, and Sensitive Personal Information (if SPI is also Restricted) classified information. b) Multifactor authentication is implemented for VPN / RAS (access from unmanaged devices not permitted) and Virtual Desktop as a Service (VDAS). c) Multifactor authentication is implemented for unmanaged device access to RT1 and RT2 systems. d) Novartis systems hosting Strictly Confidential, Vital Integrity, and/or Sensitive Personal Information (if SPI is also Restricted) classified information are onboarded to IAM MFA service (MFA or SAS). AC04 | Login screens are secure | a) The login screen does not display the password being entered by default e.g. by hiding the password characters with symbols. "View password" functionality is allowed. - The login screen does not display unnecessary system identifiers until the login process has been completed. - The login screen does not provide help messages during the login process that would aid an unauthorized user (e.g. display help for users to remember the password or provide passwords hints). - The login screen only validates the login information upon completion and submission of all login credentials and when an error (unsuccessful) condition arises, the user is not notified which credential was incorrect AC05 | Number of consecutive unsuccessful login attempts is limited | a) After maximum 5 consecutive unsuccessful login attempts, the Account is locked for a minimum of 10 minutes or until the user has requested a password reset following the applicable process. AC06 | Users have the capability to choose and change their password | a) Users are provided with the capability of changing their password themselves after authentication. b) There is a function that forces users to create their own password upon first login, or after any password reset that generated a password that was not self defined by the user. AC07 | Access authorization follows an authorization role model | a) Access authorization follows an authorization role model where: - Access permissions or entitlements are assigned to system roles and system roles to user accounts. - System roles are designed to enable a user to perform only tasks or functions on a system in line with the user’s job role in the business process. - The provisioning of system roles to user accounts and permissions or entitlements to system roles is not hardcoded, and so is dynamic (changeable) over time. b) Administrator roles are set up considering segregation of duties and responsibilities are clearly identified. c) SCA and OCA application access is managed using IAM APS (Account Provisioning Service)connected provisioning service. AC08 | Non-Privileged Accounts are disabled after a maximum of 90 days of inactivity | a) Non-Privileged Accounts used by human users are disabled (or equivalent) after a maximum of 90 days of inactivity. - For Information Systems that rely on prior network access or which are linked through identity federation to the network account, it is sufficient if the network account is disabled. In other cases, accounts are disabled on the system. AC09 | Default user accounts are deleted, disabled or changed, open privileges are not used | a) System native ("default") user accounts included in software, firmware or devices are either deleted, disabled or their authentication credentials are changed. b) System native ("default”) groups are not used for granting access rights or privileges (e.g. “everyone”, “authenticated users”, “Domain Users”). AC10 | Authentication credentials transmitted during login are encrypted or hashed | a) Authentication credentials (e.g. passwords, biometric identification data, One Time Passwords) transmitted during login are encrypted or hashed. AC11 | Authentication credentials are not hard-coded and allow rotation | a) Authentication credentials are not hard-coded into systems. b) Systems allow for credential rotation. AM03 | Users are uniquely identifiable and all Access Accounts have an owner | a) All Novartis system users (whether a person or technology) are uniquely identifiable, have assigned a unique digital identity (UID). b) Accounts are assigned to an owner who is accountable for the account. - Accounts have a clear and logical naming convention that is, where technically feasible, consistently applied across different Information Systems . - User accounts of human users are not used as Technical Accounts. - Technical Accounts are not used by physical users to access systems (unless such would be exceptionally needed for development, change or incident management purposes). Where technically feasible, Technical Accounts are set up to prevent interactive logins. AM11 | Privileged Accounts are controlled and periodically reviewed | a) Privileged Accounts, are only assigned to persons directly responsible for an Information System. b) Use of Privileged Accounts (non-personal) is secured via a Privileged Account Management solution. c) If a Privileged Account Management solution cannot be used (technically not feasible): - The processes of granting access to Privileged accounts strictly ensures that Privileged Accounts are only assigned to, and used by, persons directly responsible for Information System. The continued need for the account is reviewed semi-annually. d) Roles and responsibilities for system administrators are defined and documented. e) SCA and OCA applications are onboarded to IAM PAM service (PAM). AM15 | Passwords are protected or encrypted | a) Passwords that need to be written down are protected by storing them in a physical vault or encrypting them. b) Passwords are encrypted when stored electronically (e.g., password file is encrypted or a password vault with encryption is used).

PharmaLedger-IMI / epi-workspace

pCMA Control - Access Control Design & Access Management #343