Purpose 

This is the information you need to read and accept when you use our website. We hope you enjoy your visit and please feel free to contact us if you have any questions. Please read these terms of use in conjunction with our Privacy Policy.

Scope

This policy applies to all users of information assets including Intelligent Life employees, employees of temporary employment agencies, vendors, business partners, and contractor personnel and functional units regardless of geographic locations. 

This Policy covers all Information Systems environments operated by Intelligent Life or contracted with a third party by Intelligent Life. The term “IS environment” defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. mainframe, distributed, desktop, network devices, wireless devices), software, and information. 

Although this Policy explicitly covers the responsibilities of vendors and developers, it does not cover the matter exclusively. Other Intelligent Life Information Security policies, standards, and procedures define additional responsibilities. Vendors may be required to read, understand, and comply with the; 

  • Intelligent Life Access Control Policy  
  • Intelligent Life Business Continuity Plan (developers and support vendors) 
  • Intelligent Life Incident Response Plan (network and support vendors) 
  • Intelligent Life Patch Management (network developers) 
  • Intelligent Life Privacy and Security Statement 

All policies and procedures available on request

Responsibilities

Intelligent Life follows the AWS guideline on Best Practise. Intelligent Life management is responsible for maintenance and accuracy of the policy. Any questions regarding this policy should be directed to Steven de Jong steven@intelligentlife.co.nz  

Definitions

  • Authentication means the identification requirements associated with an individual using a computer system. Identification information must be securely maintained by the computer system and can be associated with an individual’s authorization and system activities.
  • Availability means ensuring that authorized users have access to information and associated assets when required. 
  • Confidentiality means ensuring that information is accessible only to those authorized to have access. 
  • Critical means the degree to which an organization depends on the continued availability of the system or services to conduct its normal operations. 
  • Integrity means safeguarding the accuracy and completeness of information and processing methods. 
  • Sensitive relates to the use of highly classified information or involving discretionary authority over important official matters.

Policy Statement

Access controls are necessary for Intelligent Life systems, to ensure the protection of intellectual property, and to contain sensitive or limited access to data. This policy describes the mechanisms to implement access controls and responsibilities to ensure a high level of information security.

Authorization of access to information

Access to information is authorized as follows; 

  • Access to information is controlled based on business and security requirements and access control rules defined for each information system. 
  • All Intelligent Life vendors will be permitted to access only those critical business information assets and processes which are required for performing their duties. 
  • Access to critical business information assets and activation of accounts for contractors, consultants, temporary workers, or vendor personnel will only be granted when the individual is actively performing service for Intelligent Life (as employee or contractor).  
  • Access for contractors, consultants or vendor personnel to Intelligent Life critical business information assets are subject signing the Intelligent Life Non-Disclosure Agreement (NDA). 

User registration and system access

The registration and termination of user access to systems shall be managed as follows;

  • All requests for access must be emailed to steven@intelligentlife.co.nz or ed@intelligentlife.co.nz for their approval 
  • Following approval, users will be emailed the Intelligent Life Request for Access form (attached) 
  • Upon receipt of the Request for Access form;  
    • A voice call will be used to validate the applicant 
    • User ID and any access instructions will be emailed to the applicant 
    • A SMS will be sent providing the password for access. 
  • All users of information resources will be provided a unique User ID and authorisation from the system owner to access Intelligent Life’s information assets. 
  • All users will be provided with documentation of their access rights and terms of use.   
  • No users shall be granted access to any system prior to completing all authorisation steps. 
  • A record of all registered users will be maintained and checked periodically for unused, redundant, or expired user accesses or accounts, or incorrect privileges. 
  • Redundant User ID’s will not be re-issued to new users.  
  • New accounts that have been unused for 14 days will be disabled. 
  • The user accounts of personnel leaving the employ of Intelligent Life or it’s service providers will be removed immediately upon leaving.  
  • Third-party personnel requiring access to Intelligent Life’s systems must follow Third Party Access Authorisation procedures for user registration.

Review of user access rights

  • User access rights will be reviewed every 6 months. 
  • A review of all special privilege access rights will be carried out annually, or as required.

Management of user privileges

User privileges will be managed as follows;

  • All user privileges must be assigned through a formal authorisation procedure
  • Intelligent Life will ensure that no privileges are assigned before the completion of such procedure 
  • All privileges will be allocated on an ‘as required’ basis. 

User password management

User passwords will be managed as follows;

  • Users must apply Intelligent Life’s password policy regarding password usage and management. 
  • Initial temporary passwords must be conveyed in a secure manner. 
  • When Intelligent Life’s standard encryption algorithm option is available, initial temporary passwords shall be conveyed via e-mail. 
  • Users must change their temporary password upon first login. 
  • In the event of forgotten passwords, temporary passwords will only be issued following positive identification of the user. 
  • All passwords relating to a System Administrator that has left the employ of Intelligent Life or its service provider will be immediately changed. 
  • Users may not store passwords on a computer or in any place with public access. 
  • Passwords must be changed at least every 6 months.

User responsibilities regarding passwords and unattended equipment

User responsibilities for managing passwords and unattended equipment are as follows;

  • Users must abide by the password management policy set out above.
  • Users must enable password-protected screen savers on desktops, portable computers/laptops, and servers. 
  • Users should set their device timer to enable the screen saver after no more than 15 minutes of inactivity. 
  • Users must terminate active sessions when activities are finished. 
  • For mainframe computers, users must log off after completion of their tasks.

Access control – Networks

Policy regarding use of network services; 

  • Access to networks and network services will be specifically authorised in accordance with Intelligent Life’s User Access Control procedures and NDA terms and conditions. 
  • Access to networks and network services will be controlled in accordance with business and security requirements, and access control rules defined for each network.

Network connection control; 

  • A Service Policy Table will be formulated for each service that is allowed through each firewall. 
  • All external connections by business partners and customers will be documented and authorized in accordance with the defined “Security Change Request” procedure.

Network routing control; 

  • Appropriate routing control methods will be deployed to restrict information flows to designated network paths within the control of Intelligent Life. 
  • Network routing controls will be based on positive source and destination address checking methods. 

Security of network services; 

  • Intelligent Life will obtain detailed descriptions of the security attributes of any external services (if any) from external Network services providers 
  • Security attributes descriptions will establish the confidentiality, integrity, and availability of business applications and the level of controls (if any) required to be applied by Intelligent Life. 
  • Description of the security controls will be included in the agreement of services. 

Access control – Operating Systems

Automatic terminal identification 

  • Automatic terminal identification will be used when it is important that transactions are only initiated from a specific terminal or location. 

Terminal log-on procedures 

  • Terminal logon procedures will disclose a minimum amount of information about the system. 
  • System administrators will set the password management system to suspend the User ID after three consecutive unsuccessful attempts. A system administrator will require approval from the user’s supervisor to reset the User ID. 
  • A legal banner will appear on all Intelligent Life systems prior to login on to the system. 
  • The logon procedure will not identify the system or application until the logon process has been successfully completed. 
  • Systems will validate logon information only on completion of all input data. 
  • After a rejected logon attempt, logon procedures will terminate. The procedure will not explain which item of information (the User ID or password) was the reason for the logon termination. 
  • If an error condition occurs, systems will not indicate which item of data is correct or incorrect. The logon procedures will set a maximum time allowed for the logon process. If the time is exceeded, the system will terminate the logon process. 
  • On successful completion of logon, the logon procedures will display the date/time of the previous successful logon, and the number and date/time of unsuccessful logon attempts since the last successful logon. 

User identification and authentication 

  • Intelligent Life will identify and authenticate all users before granting the appropriate system access. 
  • User ID naming conventions must be consistent and documented. 
  • User ID’s must not be shared between users. 

Use of system programs

  • Access to and use of system programs will be restricted and controlled. 
  • Use of system programs will be limited to authorised individuals. 
  • All actions undertaken by an individual on system programs will be logged 
  • All unnecessary system utilities and software, including compiler programs, will be removed. 

Terminal time-out 

  •  All systems will be locked after a defined time of inactivity. 

 Limitation of connection time 

  •  Wherever possible, all critical systems will have a defined time slots for access and connectivity.

Access control – Applications 

Information access will be restricted as follows; 

  • Access to Intelligent Life information resources and applications will be restricted to users that require them and in accordance with information Access Control Policy. 
  • All users will have controlled access (Read, Write, Modify, Execute and Full control) to all information resources and business applications of Intelligent Life, in accordance to their requirements. 
  • The owner of the information resources and business application will review the access rights based on criticality of information or at every 6 months.

Access control – Other

Mobile computing and remote access 

  • All mobile computing facilities (e.g. laptop computers, palmtop computers, notebooks, mobile phones) will be used in a secured environment, using cryptographic controls for communication purposes. 
  • All mobile computing facilities (e.g. laptop computers, palm top computers, notebooks, mobile phones) will have boot or access password or pattern. 
  • All personnel using remote access will be provided with a secure connection (e.g. Secure Socket Layer, IPSec, Virtual Private Network, encryption) to information system networks. 
  • The maintenance and support, audit, monitoring, training on security controls and practices, management of access rights, and physical security for remote access, will be in accordance with the defined procedures.

 Shared Folders

  • Access to shared folders will be authorised for specific persons only. 
  • Shared Folders will be used for work purpose only.  
  • Use of an approved document repository for remote and limited access to shared folders and files. 

Monitoring of system access and usage

Access monitoring will be as follows;

  • All event details on information system will be logged and stored for 6 months for ordinary systems and one year for critical systems. 
  • All information systems and business application will be monitored, and results of monitoring must be reviewed periodically. 
  • All system clocks will be synchronised and reviewed for inaccuracy and drift. 
  • All unsuccessful login attempts to critical servers will be recorded, investigated, and escalated to management.

Compliance management

Compliance with the Access Control Policy is mandatory, as follows; 

  • Managers will ensure continuous compliance monitoring.  
  • Compliance with Access Control Policy will be reviewed periodically. 
  • Violations of the policies, standards, and procedures of will result in corrective action by management, with disciplinary action taken consistent with the severity of the incident, as determined by an investigation, and may include, but not be limited to: 
    • Loss of access privileges to information assets 
    • Other actions as deemed appropriate by management, Human Resources, and the legal recourse.

_______________________________________________________________________

Intelligent Life Technologies Limited, GCF Building, 12 Churton Street, Parnell, Auckland, 1052, New Zealand

Document change control

All changes to this document are recorded in the following table;

Change date Reason for change Changes made Author
8 May 2014 Document inception Inception document SdJ
22 May 2014 Update reference to application form Update content under heading ‘Purpose’ SdJ
26 May 2014 Update register Update register SdJ
27 May 2015 Insurer request Who responsible for access control SdJ
4 Apr 2016 Update register Update register SdJ
8 Mar2017 Review policy Accuracy SdJ
28 Oct 2018 EY audit review Small edits SdJ
1 Jan 2019 Client review Repositories SdJ
5 May 2020 Updated website  Document format refresh ES