What mechanisms used to authenticate and authorize users of Movere?
Movere users can only access web content. Access is enabled via unique username/password/security code combination which are stored securely. All passwords are hashed using PBKDF2.
What mechanisms are used to authenticate and authorize administrators to information assets (e.g. network, server, application, database, web content, etc.)?
All administrators log in using two factor authentications, certificate (RSA2048) as well as their unique user/password combination.
What mechanisms are used to authenticate and authorize remote access?
Access to Azure is granted by Point 2 Site VPN which is governed by certificates. Each user is granted their own certificate. In addition, users require a user/password combination which enables them access to a jump server. We turn off RDP on all production servers.
What methods are utilized for granting access and reviewing access?
Access to production is only granted to administrators that perform maintenance. We use Active Directory for authentication. Access is reviewed on a monthly basis.
What process is used to control and monitor the use of privileged/administrative accounts and their passwords (e.g. network, server, application, database, web content, remote access, etc.)?
All administrator accounts are handled by Active Directory. Passwords need to be 8 characters long, and when you miss a password attempt 3 times you'll be locked out for 30 minutes. Access is monitored and failed login attempts are logged. All logs are kept for 6 months.
What password and authentication policies, standards, etc. (include minimum length, lockout, complexity, timeout period, password history, etc.) have been implemented?
For web users the minimum password length is 8 characters. The password must include a symbol, a number, and both a lower and upper case character. After 3 unsuccessful login attempts the users account will be locked for 30 minutes. Administrators cannot change a user’s password, but they can force the user to reset their password at the next login. Users also can reset their own password from the Movere website. In both cases the user will be sent an SMS message and will be required to enter the new 7-digit code to complete the password reset.