3.2 User Identification and Authentication

3.2.1 Unique User Identifiers

Every employee will be provided with a unique identifier (user ID) when they join the company. This user ID will be used to access all company systems. Unique user IDs are crucial to individual accountability, as they enable actions performed on company systems to be accurately tracked back to the individual responsible. This promotes a culture of responsibility and security among employees, discouraging negligent or malicious activities due to the knowledge that such actions can be traced.

3.2.2 Multifactor Authentication

Our policy mandates the use of multifactor authentication (MFA) across all company systems, with additional layers for specific applications and situations.

3.2.2.1 General MFA Policy

Every employee, upon receiving their unique user ID, is required to enroll in our MFA program. This program involves a combination of something the employee knows (their unique password) and something they have (a registered mobile device or security token).

3.2.2.2 Software Token or Physical Security Key

We encourage the use of software tokens generated by an authentication app installed on the employee's mobile device. In certain circumstances, where additional security is warranted or a mobile device isn't available, we may issue a physical security key.

3.2.2.3 Sensitive Systems Access

For accessing more sensitive systems, we require an additional authentication factor, usually in the form of biometric identification (like a fingerprint or facial recognition) or a time-based, single-use PIN sent via SMS or email. In high-risk scenarios, we might require approval from a system administrator or manager to complete the authentication process.

3.2.2.4 Remote Access

Given the nature of our business, remote access is common. For any remote connections, we mandate MFA using a VPN with a rotating token for secure access to our network. This policy ensures that even remote sessions are secure from unauthorized access.

3.2.2.5 Regular Authentication Audits

We conduct regular audits of our MFA system to ensure compliance with these policies and to identify any potential areas of improvement. This includes monitoring for any failed authentication attempts, which could indicate attempted unauthorized access.

3.2.3 Automated Logoff of Idle Sessions

To prevent unauthorized access through unattended devices, we have implemented automated logoff of idle sessions. If an employee leaves a device without logging off, after a predetermined period of inactivity, the system will automatically end the session.

This measure not only guards against unauthorized internal access but also is a crucial defense if a device is lost or stolen. An attacker gaining physical access to a device that has an active session with access to sensitive information poses a severe security risk. Automatic logoff significantly reduces this risk.

3.2.4 User Identification and Authentication Policy Management

Our management team will regularly review and update our user identification and authentication policies. As our organization grows and evolves, and as new threats emerge, we need to ensure that our policies are still relevant and effective.

Regular training and reminders will also be provided to all employees. It's essential that all our staff understand why these measures are in place and the role they play in maintaining the security of our systems and data.

Violations of these policies will be treated seriously and may lead to disciplinary action. This underlines the importance that we place on these security measures and helps ensure that all employees adhere to our user identification and authentication policies.