Highlights of IS.003 Access Management Standard
The IS.003 Access Management Standard sets policy standards for implementing user access management, network access control and system authentication control in order to protect Commonwealth of Massachusetts information assets and network services.
- This standard defines the requirements for protecting the Commonwealth’s information assets throughout their life cycle from the original request for access to the revocation of privileges, including:
- User access management to verify authorized user access to information assets
- User password management to control allocation of account passwords
- User responsibilities to prevent unauthorized access and compromise of information assets
- Network access control to verify the security of network services and information assets
- System authentication control to verify authorized access to information assets
- Provisioning of contractors’ access to information assets through a formal management process
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive departments.