Defines how access control to information systems covers all stages in the user access lifecycle. Key points include: individual unique logins, two-factor authentication (Duo), least privilege principle, account lockout after 5 failed attempts, privileged account documentation, quarterly audits of access control logs.
LeadsOnline maintains a data retention policy governing how long different types of data are retained in accordance with legal and regulatory requirements.
Requirements: minimum 10 alphanumeric characters, at least one uppercase letter, one lowercase letter, one number, and one special character. Cannot be the same as the last 10 passwords. Passwords must be stored using a password manager.
Establishes rules for granting, controlling, monitoring, and removing physical access to facilities, property and equipment. Key requirements include: compliance with building codes, clearly marked restricted areas, manager approval for access, security team approval for sensitive facilities, and quarterly access reviews.
Establishes a systematic approach to identifying, evaluating, and addressing vulnerabilities. Includes regular scans, risk assessment, remediation, notification, patch management, third-party software assessment every two weeks, and periodic review and reporting.
