Skip to main content

2.3 – Authentication and Authorization

Last updated : January 14, 2022

This policy is will be effective from Monday 17 January 2022

To see prior version, please click here.

Estimate Reading Time : 4 minutes

Policy Statement

In accordance with the PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC. (“Company“, “We“, “Our“, “Us“) Data Classification Policy, all information systems that create, receive, store, or transmit data classified as ‘Confidential’ must adhere to the physical security principles of this document.

Reason for Policy

State and federal regulations, as well as general best practices, shape the security and privacy protections that must be afforded to data classified as “Confidential”. This policy addresses regulatory and best practice requirements to ensure proper authentication and authorization to Confidential data.

Entities Affected by this Policy

PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC.

Who Should Read this Policy

All individuals accessing or storing data in the Data Core, as well as all individuals sending, receiving, or transmitting any data to or from the Data Core.

Web Address of this Policy

Authentication and Authorization

Principles

Information systems or applications that create, receive, store, or transmit Confidential data (hereafter “Confidential Systems” – see Data Classification policy) must, without exclusion, adhere to the following:

Access

Managers and administrators of Confidential systems are responsible for ensuring access to those systems is based on work function and is controlled using the minimum necessary standard. Documented procedures for ensuring appropriate access to Confidential Systems must include:

  1. Authorization methods (e.g. using a PSAID), including manner and type of authorized administrative access
  2. Authentication methods (e.g. requiring passwords), including manner and type of authentication
  3. Methods for evaluating access to Confidential systems based on the need to fulfill an appropriate business purpose
  4. Documentation of each workforce member’s and vendor’s access rights to Confidential systems
  5. Acknowledgement forms, signed by the appropriate supervisors, which document that they have knowingly and willingly authorized access rights to Confidential systems to appropriate workforce members and vendors
  6. Acknowledgement forms, signed by the appropriate workforce members and vendors, which document that all appropriate parties are aware of their authorized access rights to Confidential systems
  7. A formal process for annually reviewing and revising workforce member and vendor access to Confidential systems
  8. A formal process for the timely termination of workforce member and vendor access to Confidential systems whenever appropriate (e.g. immediately upon end of employment).
  9. A formal process for the timely change of workforce member and vendor access to Confidential systems whenever appropriate (e.g. after a change in role or position).
  10. A formal process for regularly assessing effectiveness of access controls to Confidential systems
  11. A formal process for providing, and subsequently removing, electronic access to Confidential systems to appropriate workforce members and vendors during an emergency

Unique User Identification

  1. All electronic access to Confidential systems must be the result of using a unique identifier, such as a username and password. Users are only granted one unique Company PSAID and password. Using another user’s account (PSAID) to access Confidential systems is prohibited.
  2. Violators will be subject to disciplinary action (see the Company Sanctions Policy).
  3. Managers and administrators of Confidential systems are responsible for ensuring that access technologies and methodologies for those systems incorporate the following:
    1. Usage of “strong” (difficult to guess) passwords that contain, at minimum, a combination of capital and lower-case letters, and numbers
    2. Usage of “unique” (not shared among multiple users) user ID’s (e.g. PSAID’s) with appropriate authentication mechanism (passwords, tokens, biometrics, etc)
    3. Forced periodic password changes of, at minimum, every 180 days (at least every 90 days for users who handle credit card transactions)
    4. Enforced prohibition of password reuse
    5. Enforced prohibition of sharing or disclosing of password
    6. Gaining access to Confidential systems or data by using credentials other than one’s own makes it impossible to properly log and audit access. Therefore, it is not acceptable for any user to use another user’s authorization credentials (e.g. PSAID and password) to gain access to any Confidential IT resources. It is additionally not acceptable for any user to act on behalf of another user when accessing IT resources unless this practice has been documented and approved by a supervisor of that system.
    7. In some circumstances, such as in research labs, is it acceptable to use a ‘shared’ account for login only to computer workstations. In cases where shared accounts are preferred or required, managers and administrators of confidential systems must ensure that shared accounts are used only to login (authenticate) to those systems, and not for authenticating to applications accessible from the system. It is never acceptable to use a shared account to access applications, databases, or other systems that store Confidential data. Accounts used in this shared manner must never be normal user accounts (e.g. PSAID’s), but should instead be accounts created solely for the purpose of logging into limited numbers of computer workstations.

Audit Controls

  1. All access to Confidential systems and data must be electronically logged. Logged data must be audited on a predetermined basis; at least annually. Documentation of audits must be kept for at least 2 years. Discrepancies or access violations found through audits should be reviewed and remediated.
  2. Audit logging should be deployed in layers: at the network, application, back-end database, and system levels, and incorporate the following:
    1. Access logs – systems or security administrators must have procedures in place to log and review administrative and user access to IT resources.
    2. Activity logs – systems or security administrators should log and review user activity, such as data insertions, revisions, changes, or deletions
    3. Systems monitoring – systems or security administrators should monitor IT resources for anomalies such as changes in performance, network traffic, and intrusion detection.

Account Lockout

  1. In accordance with industry security standards, user accounts will be locked out for a period of time after multiple incorrect login attempts to protect against brute-force attacks. Users will be able to attempt login again after the period of time has passed.

Did the information shown in this page help you solve your problem?

The purpose is receiving the feedback from the visitors, so we can make necessary changes to our informations which increase trust and customer satisfaction and make our platform better. For futher information about Customer Research: Designing for Transparency and Trust, please visit our Trust and Transparency Principles.

SWITCH DARK MODE - Works across all operating systems including Android, iOS, macOS, Microsoft Windows, Linux, Unix. Our accesibility systems intelligently detects device preferences and dynamically delivers a handcrafted, expert-designed dark mode experience for your readers. Toggle darkmode by bluetooth keyboard shortcut (Ctrl+Alt+D). For the best experience when using this application platform, We recommend upgrading to the latest version of one of the latest browsers available. For convenience and security, this site looks best at a mobile screen resolution of 720x1280 pixel or higher, at least using the latest version of the latest mobile web browsers like Chrome, Mozilla Firefox, Safari, Microsoft Edge, Opera, or Brave Browser. We recommended you to install the PopIt Platform App from your device's application Store.

ACCESIBILITY DISCLAIMER