Laserfiche WebLink
Security Policies and Procedures <br />XI. IDs and Accounts <br />A. User IDs <br />Each user shall be assigned a unique identification, called the User ID. This User ID is not <br />considered to be sensitive, unless the User ID relates to an authentication process, <br />systems or application management role. <br />On sensitive systems or applications the User ID should not be easily identifiable, thus <br />making unauthorized usage more difficult. <br />Sharing of User IDs is not permitted, unless justified by business requirements and <br />approved by the ISO. For any such shared User ID, the password will be shared using <br />LastPass, and the password will not be shared with the additional user. If this password <br />is shared, it must be changed immediately after the User ID is used to keep the shared <br />User ID from becoming generally available and a risk to Virtru. <br />Guest and anonymous User IDs are not allowed, unless the system involved is not <br />connected to any of Virtru's networks and the system does not have any Company <br />information on it. Typically, these guest or anonymous User IDs are only used during <br />development or during marketing/sales demonstrations. <br />B. ID and account creation <br />User IDs are only to be created following a process approved by the information owner. <br />This User ID creation process should include: <br />1. Expiration dates for the User ID <br />2. Renewal process for the User ID <br />3. Documentation of the role, business process and job function relating to the <br />User ID <br />User IDs are to be created for the purpose needed and not in a manner to compromise <br />segregation of duties. <br />A record of all User IDs and their owners will be maintained by the ISO. See the Change <br />Control Logs for Security for further detail. <br />Rev.2015.8.6 <br />27 <br />