ACCESS AUTHORIZATION

5.11

Computer systems are subject to the same access authorization policies.

Since applications run on the server, all client systems can be consistent.

5.12

Access control policy must address local and remote access.

Dual Password system authenticates all users.

5.13

A policy and process must be in place for revoking authorization.

Administrators have full access control.

ACCESS MODIFICATION

5.18

There must be policies and procedures in place for access modification of job status.

Administrators can change access control to applications.

5.18.1

There must be policies and procedures in place for access modification of job transfers.

Administrators can change access control to applications based on Groups and Organizational Units.

5.18.2

There must be policies and procedures in place for access modification of job termination.

Administrators can delete users from the system in seconds.

5.18.3

There must be policies and procedures in place for access modification of other job changes.

Administrators can change access control to applications based on Groups, Organizational Units, and Users.

Security information management

8.1.2

A change control methodology for software is required.

Administrators have control over software applications from the server.

8.12

There needs to be policies and procedures for tracking acquisition of software.

Software licenses can be managed/audited by the administrator.

Audit  Control

20.4.2

Assigning and changing of privileges must be audited.

Administrators can view who has access to applications, as well as who has been using applications. Administrators can recognize privilege assignment and modification, software addition, and application access.

20.4.3

Installation, maintenance, and changing of software must be audited.

Administrators can recognize privilege assignment and modification, software addition, and application access.

20.4.7

Individual user access to protected health information must be audited.

Administrators can recognize privilege assignment and modification, software addition, and application access.

20.6

Log Data must be available over time.

This audit log is available until the administrator purges information.

20.7

Log Data must be available until no longer necessary.

This audit log is available until the administrator purges information.

20.8

Appropriate personnel must have access to log data.

Only administrators have access to the logged data.

Entity authentication

23.1.1

The system should have an automatic logoff feature.

ATEC CSM has an automatic Logoff feature.

23.1.2

Users should have a unique ID.

Each user is a unique user.

23.1.4

Users should have a password.

Each user has 2 passwords.

23.7

Authentication must also apply to contractors.

Each user has 2 passwords.

23.8

Passwords should be changed periodically.

Users can have their passwords set to expire.

Communications and network controls

24.1.3.1

Sensitive data should be protected whether it is inside or outside the network.

Administrators can: encrypt all sensitive data, encrypt the Terminal Server protocol using the Microsoft RDP encryption, encrypt the local file and print redirection using the encryption algorithm, and encrypt access control via the Web browser using SSL.

24.1.3.2

All sensitive data should be encrypted.

Administrators can: encrypt all sensitive data, encrypt the Terminal Server protocol using the Microsoft RDP encryption, encrypt the local file and print redirection using the encryption algorithm, and encrypt access control via the Web browser using SSL.

24.2.2

An Audit trail needs to be available.

Administrators can recognize privilege assignment and modification, software addition, and application access.

24.2.3

There must be a way to irrefutably identify authorized users.

User IDs are unique, password protected, and authenticated by the domain.