Ensuring the security of ministry technology resources and data holdings is critical. User access is controlled through appropriate account management. It is critical to have strict controls in place for creating and managing accounts.
- All users are assigned either a unique user ID and password; or a two-factor token (when two-factor authentication is used). It is important not to reveal or share their passwords and tokens with others.
- Implement a strong password standard by identifying the minimum number of characters and the complexity of the characters selected (upper-lower case letters, numbers and special characters) allowed for passwords. Note: this may be already controlled through your application.
- When electronically transmitting passwords, passphrases and passcodes to users they must be securely communicated and separated from the user ID. A user's role will determine the level of access they have to electronic health information. Access will reflect the user's "need to know", providing the least privilege necessary based on their job function.
All accounts that have been inactive for 90 days or more must be removed or disabled to prohibit login to the system.