Logical Access Controls

Logical access controls are implemented for servers. Authorized users are assigned access privilege to servers through a group policy that requires a unique username and password for authentication. Passwords are required to be a minimum of 8 alphanumeric characters and expire every 90 days for non-administrative users. Administrative passwords are required to expire every 45 days. After five failed login attempts, users are locked out for a duration of 15 minutes or greater. Furthermore, the minimum age for passwords is 7 days with a password history of 8. There are instances where generic user accounts are utilized but these accounts are presented to the Information Security Committee for evaluation and an exception must be granted.

All servers and workstations are required to have an approved anti-virus system that is configured to be updated at least daily. Additionally, all workstations must have an approved firewall configured to block all unauthorized access attempts. Furthermore, all servers and workstations must have an Intrusion Detection System implemented to alert users when unauthorized access is attempted. Any mobile device must have full disk encryption implemented and any server or workstation deemed sensitive or containing cardholder data must utilize full disk encryption. CSI Digital Banking does not contain any cardholder data.

Software Engineers generally do not have remote access to any of the web application servers. There are rare instances where the SEG Leader or SEG Manager may request remote access to the production servers to assist in troubleshooting performance issues. In these instances, a TMT ticket requesting remote access is sent to the System Operations or email approval is obtained. Once the performance issues have been corrected, the remote access to the web application servers is rescinded.

70013