1. Requests for access to LifeWIRE Platform systems and applications is made formally using the following process:
- A LifeWIRE workforce member initiates the access request by creating an Issue in the LifeWIRE Quality Management System.
- User identities must be verified prior to granting access to new accounts.
- Identity verification must be done in person where possible; for remote employees, identities must be verified over the phone.
- For new accounts, the method used to verify the user’s identity must be recorded on the Issue.
- The Security Officer or Privacy Officer will grant access to systems as dictated by the employee’s job title. If additional access is required outside of the minimum necessary to perform job functions, the requester must include a description of why the additional access is required as part of the access request.
- Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
- If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required. The Security Officer or Privacy Officer then grants requested access.
- New accounts will be created with a temporary secure password that meets all requirements from 7.12, which must be changed on the initial login.
- All password exchanges must occur over an authenticated channel.
- For production systems, access grants are accomplished by adding the appropriate user account to the corresponding LDAP group.
- For non-production systems, access grants are accomplished by leveraging the access control mechanisms built into those systems. Account management for non-production systems may be delegated to a LifeWIRE employee at the discretion of the Security Officer or Privacy Officer .
- Access is not granted until receipt, review, and approval by the LifeWIRE Security Officer or Privacy Officer ;
- The request for access is retained for future reference.
2. All access to LifeWIRE systems and services is reviewed and updated regularly to ensure proper authorizations are in place commensurate with job functions. Those with Admin access are reveiwed every 60 days at minimum. Those with System access are reveiwed every 90 days at minimum. On any access addition or subtraction, all accesses are reveiwed. The process for conducting reviews is outlined below:
i. The Security Officer initiates the review of user access by creating an Issue in the LifeWIRE Quality Management System.
ii. The Security Officer is assigned to review levels of access for each LifeWIRE workforce member.
iii. If user access is found during review that is not in line with the least privilege principle, the process below is used to modify user access and notify the user of access changes. Once those steps are completed, the Issue is then reviewed again.
iv. Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
v. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
vi. Review of user access is monitored on a quarterly basis using the Quality Management System reporting to assess compliance with above policy. User access rights, when granted, are maintained by the CFO as part of the Employee records
3. Any LifeWIRE workforce member can request change of access using the process outlined in 7.2.1.
4. Access to production systems is controlled using centralized user management and authentication.
5. Temporary accounts are not used unless absolutely necessary for business purposes.
- Accounts are reviewed every 90 days to ensure temporary accounts are not left unnecessarily.
- Accounts that are inactive for over 90 days are removed.
6. In the case of non-personal information, such as generic educational content, identification and authentication may not be required. This is the responsibility of LifeWIRE Customers to define, and not LifeWIRE.
7. Privileged users must first access systems using standard, unique user accounts before switching to privileged users and performing privileged tasks.
i. For production systems, this is enforced by creating non-privileged user accounts that must invoke VPN access to perform privileged tasks.
ii. .Rights for privileged accounts are granted by the Security Officer or Privacy Officer using the process outlined in 7.2.1.
8. All application to application communication using service accounts is restricted and not permitted unless absolutely needed. Automated tools are used to limit account access across applications and systems.
9. Generic accounts are not allowed on LifeWIRE systems.
10. Access is granted through encrypted, VPN tunnels that utilize two-factor authentication.
i.Two-factor authentication is accomplished using a Time-based One-Time Password (TOTP) as the second factor.
ii..VPN connections use 256-bit AES 256 encryption, or equivalent.
iii.VPN sessions are automatically disconnected after 30 minutes of inactivity.
11. In cases of increased risk or known attempted unauthorized access, immediate steps are taken by the Security and Privacy Officer to limit access and reduce risk of unauthorized access.
12. Direct system to system, system to application, and application to application authentication and authorization are limited and controlled to restrict access.