L&I, Office of Information Technology Policy SEC-010

(PDF)

1. Purpose

To specify the access controls and expected behavior regarding non-commonwealth users (hereinafter “contractors”) and their access to Department of Labor & Industry (L&I) Information Technology systems and data. This includes contractors working directly with L&I’s Office of Information Technology (OIT) staff, as well as external support entities.

2. Background

This policy is published under the general authority of the Office of Administration / Office of Information Technology (OA/OIT) in conjunction with IRS Publication 1075 Section 9.3 Access Control. L&I systems are protected by robust security measures in order to protect L&I’s applications and information. Granting contractors elevated privileges to L&I production (PROD) systems could potentially compromise them. Without the proper safeguards and controls in place, L&I OIT staff may not be able to replicate, correct, or explain the matter. L&I PROD applications are valuable, sometimes mission critical, assets. Therefore, every possible measure must be taken in order to ensure their protection and maintenance.

3. Scope

This policy applies to all employees, contractors, temporary personnel, members of boards, commissions and councils, agents, and vendors in the service of L&I (hereinafter referred to collectively as “Users”).

4. Policy

L&I OIT staff will ensure only the necessary level of access is requested for contractors.

Contractors at L&I will not be given elevated or privileged account access to any L&I Production (PROD) environment without approvals following the procedures described in Access Control for Non-Commonwealth Users Procedures.

Contractors must access all L&I systems using their unique domain logon credentials. The use of anonymous, guest, or service accounts by contractors is forbidden and will be considered a security breach, without an exception following the Access Control for Non-Commonwealth Users Procedure.

Contractors must document all actions and activates on PROD systems.

Contractors must provide knowledge transfer to L&I Users to ensure familiarity with all systems, processes and activities so they may troubleshoot any issues that may arise.

Contractors must supply all supporting documentation in accordance with Access Control for Non-Commonwealth Users Procedures.

Contractor accounts with elevated privileges will be reviewed annually.

5. Responsibilities

1. L&I User responsibilities:
   
   • Comply with all security policies, management directives and laws.
   • Report any violations of policies promptly to LI, OIT-DLICISO.
2. L&I management responsibilities:
   • Comply with all L&I policies and ensure employees comply with the policies.
   • Adhere to Access Control for Non-Commonwealth User Procedures.

6. References

7. Version Control