FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title: POA Privileged Account Policy
Document Reference: SVM/SEC/POL/4538
CP/CWO Reference: N/A
Abstract: POA Privileged Account Policy covering Master & Sub-Master and
Password Policy rules applicable to all privileged accounts.
Document Status: APPROVED
Author & Dept:
External Distribution: None
Information See section 0.9
Classification:
Approval Authorities:
Steven Browell Management Consultant & CISO See Dimensions for record
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 1 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL..
0.1 Table of Contents
0.2 Document History
0.3 Review Details .
0.4 Associated Documents (Internal & External)
0.5 Abbreviations
0.6 Glossary
0.7. Changes
0.8 Accuracy...
0.9 Information Classification
1 INTRODUCTION...
2 MASTER POLICY (INFORMATION ONLY)
SUB-MASTER POLICY
3.1. Sub-Master Policy Rules ..
44 Password Policy Rules...
4.2 I MSAD Account Password Polic:
4.3. Account Ownership 12
4.4 Account Lifecycle. 12
4.5 Guidance on Selecting Strong Passwords.
45.1 Risks with weak Passwords..
45.2 Selecting a Secure Password
45.3 Difficulties selecting a Secure Password
4.5.4 — Things to Avoid as Passwords
PASSWORD HANDLING AND PROTECTION .....
MSAD Accounts
4 Initial Password Allocation ..
.1.2 Password Resets
5.2 Storage of Privileged Passwords ..
5.3. Network Transmission...
5.4 Built-in Administrator Accounts
5.5 Oracle ged Access Management ..
5.6 Changing Passwords for Centrally Manag
5.7. SecOps Managed Privileged Account Release Policy .
5.8 Password Management Requirements
5.9 Protecting Passwords.
5.10 TESQA Accounts
5.11 iKey Exemptions..
5.11.1. Emergency ikKey Exemption Proces:
ao
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 2 of 22
FUJ00243144
FUJ00243144
POA Privileged Account Policy
Fs}
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
6.1 Service Account creation...
6.2 Service Account password expiry.
6.3 Requesting a Service Account password change..
6.4 Deleting/Disabling a Service Account....
APPENDIX A — MASTER POLICY RULES (INFORMATION ONLY)
A.1— Master Policy Rules
APPENDIX B — ORACLE PRIVILEGED ACCESS MANAGEMENT WAYS OF
WORKING 21
B.1 I Standard Operating Procedure (SOP).....
B.2 Exceptional access to Oracle user account.. 21
B.3 Access examples ... 21
B.3.1 SOP access examples: 21
B.3.2 Exceptional access examples: 22
B.3.3_ Not permitted examples ..
B.4_— sudoers modification:
TABLES
Table 1 — Sub-Master Policy Rules...
Table 2 —- Password Policy Rules ......
Table 3 - MSAD Account Password Policy
Table 4 —- Account Policies/Account Lockout Policy
Table 5 — Account Poli
s/Kerberos Policy
Table 6 — Interactive Logon
Table 7 - SecOps Managed Privileged Account Release Policy.
Table 8 — Master Policy Rules...
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 3 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.2 Document History
Only integer versions are authorised for development.
Version No. Summary of Changes and Reason for Issue Associated Change
CWO, CP, CCN or
PEAK Reference
04 14-JUL-2022 _I First version in POA template Include if known
0.2 20-JUL-2022 _I Final draft for approval
03 27-JUL-2022 _I Final version for approval including feedback comments
1.0 28-JUL-2022 _I Approved version
14 10-MAR-2023 I Correct incorrect reference to 90 days instead of 30. Remove
unclear term “User Service Account”. Correct wording that set
password length to be “exactly” instead of “at least”. Added
Appendix with Oracle user instructions. Clarified password
rotation of SecOps managed accounts.
1.2 15-MAR-2023 I Updates based on reviewer feedback
13 22-MAR-2023 I Further updates based on reviewer feedback
20 23-Mar-2023 I Approval version
24 30-NOV-2023 Amendment to section 4.1 to simplify PP01, retire PPO2-PP06,
and set PP08-09 to Recommended. Added instructions on
how to use LastPass to comply with policy. Various grammar
amendments and pagination changes. Added
DEV/APP/LLD/0028 to list of referenced documents
2.2 11-Jan-2024 Revisions following review.
3.0 16-Jan-2024 I Approval version
3.1 10-Apr-2024 Update to rules on password resets. Addition of sections on
TESQA and iKey Exemptions. Suspension of SMP12 and
SMP13. Removed optional reviewers
3.2 14-May-2024 I Updates following review comments
40 23-May-2024 I Approval version
0.3 Review Details
Review Comments by:
Review Comments to: . I + POA Document Management
Role Name
POA Security Governance Manager Chris Stevens
POA Security Operations Manager Farzin Denbali
POA Security Architect Dave Haywood; Davinder Jandu
Optional Review
Role Name
(* ) = Reviewers that retuned comments.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 4 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Issued for Information — Please restrict this
distribution list to a minimum
Position/Role Name
0.4 Associated Documents (Internal & External)
References should normally refer to the latest approved version in Dimensions; only refer to a
specific version if necessary.
Reference Version Date Title Source
PGM/DCM/TEM/0001 I See note I See note above POA Generic Document Template Dimensions
(DO NOT REMOVE) above
PGM/DCM/ION/0001 POA Document Reviewers/Approvers I Dimensions
(DO NOT REMOVE) Role Matrix
Ask Security Latest Europe Security Master Policy Ask Security
Ask Security Latest Europe Security Policy Manual Ask Security
Ask Security Latest Security Toolkit - Systems Access Ask Security
and Passwords
SVM/SEC/PRO/4537 I Latest POA Privileged Account Release Dimensions
Procedure
DEV/APP/LLD/0028 Latest Active Directory Low Level Design for I Dimensions
HNG-X
0.5 Abbreviations
AD Active Directory
cis Center for Internet Security
ECS Enterprise and Cyber Security
EBMS Europe Business Management System
JML Joiner Mover Leaver
PAM Privileged Access Management
POA Post Office Account
SPM Security Policy Management
SMP Security Master Policy
0.6 Glossary
Term Definition
Alphabetical order please
0.7 Changes Expected
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 5 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, while every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.9 Information Classification
The author has assessed the information in this document for risk of disclosure and has assigned an information
classification of FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE).
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 6 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1 Introduction
A privileged account has additional abilities to a "standard" user account. Privileged accounts may be
machine accounts or accounts allocated to individual development or support staff. Privileges may
include access rights to operating systems or to application software and databases.
System privileges and levels of access required to perform management functions are higher than those
assigned to standard users. Therefore, the allocation and use of privileges is restricted and controlled,
and the principle of least privilege is used. The principle of least privilege refers to the concept and
practice of restricting access rights to only those resources required to perform the authorised activities.
Individuals should not be granted unnecessary privileges.
The purpose of this Privileged Account Policy is to set a standard for creating, protecting, and managing
all privileged accounts within Post Office Account (POA).
The privileged account types on the POA are as follows:
e Personal Privileged — Individual privileged accounts
e Shared Privileged — Privileged account used by more than one individual
¢ Local Administrator — Local host admin access accounts
¢ Domain Administrator — Domain admin access accounts
¢ Database Administrator — Database admin accounts
« Network Administrator — Network admin accounts
e Application Administrator — Admin accounts for specific applications or appliances
¢ Built-in Administrator — Vendor default admin accounts that must be retained
« Service Accounts — Local or domain non-interactive system accounts (including MSAD Service
Accounts)
Note: Some accounts may meet the definition of more than one type e.g. a Built-in Administrator account that is also
Shared Privileged as it is needed by a team that manage the applicable system
The Master Policy rules set a vision for POA. If POA deployed Privileged Access Management (PAM)
toolsets, then these rules would be integral to that solution. POA does not have such a toolset, so some
of the Master Policy rules are challenging, or impractical to achieve. Every effort must be made when
changes are implemented in any parts of the solutions on POA to move towards compliance with the
Master Policy. Compliance with the Master Policy is considered highly desirable for all privileged
accounts in use on POA.
The Sub-Master Policy rules, however, are deemed to be achievable within the POA solutions deployed
despite the absence of PAM toolsets. Although they may incur additional manual processes they should
be operated and complied with. Complying with the Sub-Master Policy is mandatory on POA and ensures
a significant alignment with the Master Policy.
The Password Policy is referred to in both the Master and Sub-Master Policies and compliance is
considered mandatory for all privileged accounts within POA.
POA SecOps maintain a Privileged Account Register of all privileged accounts which includes their
compliance to the Master Policy, Sub-Master Policy and Password Policy. Exceptions are recorded on
the Privileged Account Register along with the reason for non-compliance. This allows POA SecOps to
decide if it is necessary to challenge the non-compliance or accept the reason as appropriate and thereby
agree to the exception to compliance.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 7 of 22
FUJ00243144
FUJ00243144
POA Pi
ged Account Policy
Fs}
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
2 Master Policy (information only)
The Master Policy rules set a vision for POA. If POA deployed Privileged Access Management (PAM)
toolsets, then these rules would be integral to that solution. POA does not have such a toolset, so some
of the Master Policy rules are challenging, or impractical to achieve. Every effort must be made when
changes are implemented in any parts of the solutions on POA to move towards compliance with the
Master Policy. The Master Policy is shown in Appendix A for reference only.
3 Sub-Master Policy
The Sub-Master Policy rules are deemed to be achievable within the POA solutions deployed despite the
absence of PAM toolsets. Although they may incur additional manual processes they must be operated
and complied with. Complying with the Sub-Master Policy is mandatory on POA and ensures a significant
alignment to the Master Policy.
3.1 Sub-Master Policy Rules
The table below details the Sub-Master Policy references and associated policy rules. Items marked with
an asterisk in the Mandatory column are not applicable to Service Accounts.
All privileged accounts that are held on the POA SecOps Register record the compliance to these policy
references.
-Mas
SMPO1 The privileged account has a clearly stated named owner Yes
SMPO2 The privileged account owner must ensure the password complies with the Yes
Password Policy rules
‘SMPO3 Privileged accounts must be created, changed, and disabled following the POA I Yes
JML processes
SMP04 All privileged accounts must have their access clearly defined within the POA Yes
JML forms so that access levels are documented
SMPO5 Shared privileged accounts must be stated on the POA JML forms so that users I Yes
requiring access to use them can be recorded centrally
SMPO6 All privileged accounts must be recorded on the POA SecOps Privileged Yes
Account Register, so they are centrally recorded and subject to the POA
SecOps periodic verification processes
SMPO7 The privileged account, if a Service Account, must not permit human interactive I Yes
logon
‘SMPO8 Privileged account owners must respond to verification process checks every I Yes
90 days - and failure to respond within the designated time stated on the
verification will mean that the privileged account will be disabled or will have its
access removed
‘SMPO9 Privileged accounts that are used less than once a week are to be handed over I Yes*
to POA SecOps for central ownership and management under the Privileged
Account Release Procedure
‘SMP10 Superseded by SMP11. Ignore
SMP11 Changes made to the Live system using a privileged account must be Yes
documented under Change Control, be part of a defined service obligation, or
be documented by a formally operated processes such as APPSUP
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 8 of 22
re}
FUJITSU
POA Pi
ged Account Policy
FUJITSU RESTRICTED (COMMERCIAL IN
FUJ00243144
FUJ00243144
CONFIDENCE)
SMP43 Wh g-aprivileged tio make oh tothet fomath No
tions-being performed must-where possible be logged _to-a local syston4
thatis-alse-stored-centrally-and_also-storedin-the Audit Archi
SMP14 The owner of privileged accounts that are shared must always record who has Yes
access to use the privileged account (it must be provided to POA SecOps when
requested)
SMP15 The owner of privileged accounts that are shared must maintain records of who I Yes
has used the accounts and when it was used (it must be provided to POA
SecOps when requested)
‘SMP16 Privileged account credentials must be securely stored (e.g. ina Password Yes
Manager/encrypted file) or not stored at all
SMP17 Privileged accounts must require the use of Multi-Factor Authentication Yes*
Table 1 — Sub-Master Policy Rules
April 2024 — SMP12 and SMP13 have been suspended due to operational impracticalities to achieve in
the absence of tooling.
4 Password Policy
The Password Policy is referred to in both the Master and Sub-Master Policies and compliance is
mandatory for all privileged accounts in use on POA.
4.1 Password Policy Rules
The table below details the Password Policy references and associated policy rules.
All privileged accounts that are held on the POA SecOps Register record the compliance to these policy
references.
Ppt ' ‘Yessee Note 1
Yes S00 Nie 7
PPO7 :
PPO8 ! I Recommended
PPO9 ' ; Recommended
Table 2— Password Policy Rules
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 9 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Note 1 - The corporate password generating tool (LastPass), which is deployed to all corporate laptops,
provides a Generator that can be used to create strong passwords. To generate a strong password, open
your browser and select the LastPass icon near the navigation bar,
Or from the drop-down list of extensions
, select the LastPass: Free Password Manager entry...
HB estas: Free Password Manager oo
This presents a screen with an option Generator at the bottom:
When the password appears, compare it to the PP01 rules above. If the password is compliant, you can
a)
copy it and use it. If it is not compliant, click on refresh Q and check the updated password
shown.
You can also store the password in your LastPass Vault.
Whilst it is acknowledged that current advice for human passwords is that they are not rotated regularly
(i.e. do not expire), that they do not have these types of complexity rules, and that longer passwords are
more secure than complex passwords and more importantly are easier to remember, there are
constraints within the POA deployed solutions that would make this difficult to deploy unilaterally.
See https://pages.nist.gov/800-63-3/sp800-63b.htmli#appA for additional information.
It is recommended, particularly for human accounts, that long passwords are used.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 10 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
4.2 MSAD Account Password Policy
POA Password Policy is managed by POA SecOps and the following minimum criteria, extracted from
DEV/APP/LLD/0028 Section 13 Group Policy, should be followed where the system allows:
nforce passwort
istory
Maximum password age
Minimum password age @
IRRELEVANT
Minimum password length
Password must meet complexity
requirements.
ss a
Store passwords using reversible
encryption
Table 3 - MSAD Account Password Policy
[1] Maximum password age and expiration notification: Maximum password age must be always
higher than minimum password age unless it is set to 0 (password never expires).
[2] Minimum password age: To avoid potential password sync conflicts and prevent users from
bypassing the password history policy.
Password expiration: Due to Service continuity reasons Service Accounts passwords are set to never
expire.
Account Policies/Account Lockout Policy
Account lockout duration
Account lockout threshold
IRRELEVANT
Reset account lockout counter after
Table 4 — Account Policies/Account Lockout Policy
Account Policies/Kerberos Policy
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket IRRELEVANT —
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Table 5 — Account Policies/Kerberos Policy
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 11 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Interactive Logon
Interactive logon: Prompt user to change password before I {iRRELEVANT!
expiration URRELEVANT!
Table 6 — Interactive Logon
4.3 Account Ownership
Where possible, privileged accounts must be centrally managed by POA SecOps. Centralising
management of such credentials is a step forward to limit the potential for misuse of privileged accounts.
This should include accounts that do not comply with Sub-Master Policy rule 9 (SMP09). Access to these
centrally managed accounts will then follow the POA Privileged Account Release Procedure
(SVM/SDM/PRO/4537).
4.4 Account Lifecycle
Privileged accounts must be created and disabled through the Joiners, Movers and Leavers (JML)
process for POA. All account requests must follow the POA JML process.
4.5 Guidance on Selecting Strong Passwords
4.5.1 Risks with weak Passwords
If someone else obtains your passwords, they may use your account to perform actions or to commit
crimes and all transactions they perform will be performed in your name. If it cannot be proven that
anyone else was using your account, or it is proven that you failed to adequately protect your password,
you may be held accountable for all actions performed using your account and for any damage caused
by that use.
The longer and more complex a password, the safer it is against hacking attacks. However, it is also
more difficult to remember, especially when it must be changed frequently. Choosing a secure password
which can be remembered easily is therefore challenging.
4.5.2 Selecting a Secure Password
Selecting a secure password is important. The password is used by the computer to verify the user, so
pick a password that cannot be guessed by others.
Cyber criminals use sophisticated tools and common password databases that can rapidly decipher
passwords. The top reasons people gain unauthorised access to a password protected system are:
e They guessed someone's password (often because they found it on a piece of paper next to the
victim's computer).
e They saw the person type the password in.
e They use software programs that are very good at guessing common passwords.
e The password was intercepted between the user and the application due to lack of encryption at
the network layer.
The following guidelines should guard against someone finding out your password and using your
account without your permission:
e Make your password as long as possible. The longer it is, the more difficult it will be to attack the
password with a brute-force search. Fujitsu application and system support for minimum and
maximum password lengths varies and may constrain the password that may be set. For
privileged account passwords POA mandates a 16 character minimum length.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 12 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Use as many different characters as possible when forming your password. Use numbers,
punctuation characters and mixed upper and lower-case letters. Choosing characters from the
largest possible alphabet will make your password more secure by requiring more effort by
someone to guess it correctly.
e Do not use personal information in your password that someone else is likely to be able to figure
out. Things like your name, phone number, and address are to be avoided. Even names of
acquaintances, pets, sports teams, hobbies and family names should not be used.
e Do not use words, geographical names, or biographical names that are listed in standard
dictionaries.
e Never use a password that is the same as your account number.
e Do not use passwords that are easy to spot while you're typing them in. Passwords like 12345,
qwerty (i.e., all keys right next to each other), or nnnnnn should be avoided
4.5.3 Difficulties selecting a Secure Password
If you are having difficulty picking a good password, some good methods include:
e Use a long phrase you can easily remember and apply different capitalisation and special
characters. Some examples:
o “Paris is my kind of place to eat cheese” could be “Paris-is.my-kind.of-place.to-
eat.cheese”
o “My computer is 5 years old and slow” could be “MY ComputeR IS FivE YearS OID AnD
Slow”
e Use the first letter of each word in a phrase you can easily remember. Some examples:
o “Paris is my kind of place to eat cheese” would be “Pimkop2ec”
o “My computer is 5 years old and slow” would be “Mci5yo&s”
o “lam 28 and Madonna is a star” would be “la28&Mia*”
e Use a phrase instead of a word:
o Todayis32degrees!
o Coffee&twobiscuits4me
« Join two (or more) completely unrelated words with symbols:
co Yellow%thoughtful
o teabags$$Advocate
© airline*(punctual)
4.5.4 Things to Avoid as Passwords
Here are some guidelines of what not to include in your password:
e Names, including any part of your name, your spouse's name, your parent's or children’s name,
your pet's name
« Names of your boss, close friends or co-workers, or favourite fantasy characters
* The name of the operating system you're using, or the hostname of your computer
e Other information that is easily obtained about you, including phone numbers, birth dates, car
licence plates etc
e Words such as wizard, guru, Gandalf etc — although this is ok if combined with many other words
to create a longer phrase
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 13 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Any username on the computer in any form (as is, capitalised, etc.)
« Adictionary word, in any language- although this is ok if combined with many other words to
create a longer phrase
e Aplace name- although this is ok if combined with many other words to create a longer phrase
e Passwords of all the same letter (typically prevented by system policy)
e Simple patterns on the keyboard, like qwerty (typically prevented by system policy)
e Any of the above spelled backwards (typically prevented by system policy)
«Any of the above followed or pre-pended by a single digit
e Avoid simple things like words spelled backwards, or common substitutions like ‘3° for ‘e’ etc.
5 Password Handling and Protection
5.1. MSAD Accounts
5.1.1 Initial Password Allocation
The following requirements are to be met when creating or supplying a password to a user for the first
time or after a password has been reset:
« Users must be provided initially with a secure temporary password which they are required to
change at first login.
« Temporary passwords provided to a user must be unique (i.e. not the same password supplied to
every user).
« Temporary passwords must meet password complexity requirements in the previous section.
« Temporary passwords must be provided to users in a secure manner. The use of third parties or
unprotected (clear text) messages are to be avoided.
5.1.2 Password Resets
When a user requests their password to be reset:
« Support staff are required to validate the identity of the user.
e Users should be provided initially with a secure temporary password, which they are required to
change at first login.
e Where phone calls to help desk agents are involved, identification of the user is mandatory, for
example, use of the users’ UK personnel number.
« Where the user account is a privileged account, a TfSNow ticket must be raised to record the
request and action taken.
5.2 Storage of Privileged Passwords
Passwords for any privileged account must be stored in a Fujitsu approved secure storage system or not
stored at all (MP15 / SMP 16).
Access controls within the password storage system are to be implemented in a manner which ensures
access to passwords is only possible to defined personnel for legitimate business reasons.
5.3 Network Transmission
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 14 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
The passwords for data that has been shared should not be transmitted via the same medium. It is much
more difficult for an adversary to combine data from two sources (e.g. Teams and Email) to decrypt the
data.
Using public key cryptography (i.e. gpg, pgp) removes the secure key exchange problem for symmetric
keys. The first recommendation should be to use asymmetric keys if possible, followed by the secure
exchange of symmetric keys if asymmetric is not possible.
5.4 Built-in Administrator Accounts
Built-in Administrator accounts should be disabled and POA defined accounts should be setup instead
wherever possible.
Default vendor passwords for Built-in Administrator accounts must be changed during the installation of
applications, systems and network devices wherever possible.
Built-in Administrator accounts must be handed over to POA SecOps for central ownership and
management under the Privileged Account Release Procedure wherever possible.
5.5 Oracle Privileged Access Management
To enhance auditability, POA Oracle users are required to work as described in Appendix B.
Auditing relies on the UNIX /var/log/secure syslog file and the Oracle audit. Sudo commands are logged
to /var/log/secure and Oracle commands are logged to the audit destination as defined by the Oracle
database audit parameter audit_file_dest.
Users accessing Oracle from their own user account without escalating to SYSDBA are logged in the
SYS.AUDS table as their user id. Users accessing Oracle via sudo using another account (oracle or grid
for example) have their session logged as the target account. In this instance a combined review of the
Wvar/log/audit and Oracle audit is required to correlate user activity.
Refer to Appendix B for further policy information.
5.6 Changing Passwords for Centrally Managed Accounts
For privileged accounts managed by SecOps, PP08 (30-day password rotation) does not apply as the
passwords are rotated on each use as per the POA Privileged Account Release Procedure
[SVM/SEC/PRO/4537]
Rotation of the password is dependent on access levels. POA SecOps will use one of the following
methods to securely rotate passwords.
e Where POA SecOps can access the infrastructure/applications/devices, they will rotate the
password themselves in a controlled manner that is tracked with date/time stamp.
e Where POA SecOps do not have access, they will initiate password rotation by means of an
incident ticket reference, screen share with an Individual Privileged user and a “baton pass”
approach will be used where the user gives POA SecOps control of the session so they can input
the new password known only to them.
« Where none of the above apply, then POA SecOps will initiate password rotation by means of an
incident ticket reference, screen share with an Individual Privileged user, and then a verbal
communication of the new password which will be witnessed as being typed in. There will be no
written password confirmation making it extremely unlikely that the Individual Privileged user will
remember the complex password used. Any verbal communication should also ensure it has not
been recorded.
Once the password is successfully rotated, this is then under the control and management of POA
SecOps.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 15 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.7 SecOps Managed Privileged Account Release Policy
Requesting and releasing of POA SecOps centrally controlled privileged account details must follow the
POA Privileged Account Release Procedure (SVM/SDM/PRO/4537). This will ensure adherence to the
following release process rules:
RPO1 Requests for privileged accounts are made via the agreed request Yes
process (e.g. TfSNow)
RPO2 Requests for multiple privileged accounts are made separately and Yes
following the agreed request process (e.g. TfSNow)
RPO3 Requests for privileged accounts are made with documented Yes
justifications which must include timescales over which the credentials
will be needed (e.g. within the TfSNow ticket)
RPO4 Requests for privileged accounts are approved by the designated Yes
authorising party(ies) as recorded in the Register. A requestor cannot
self-authorise
RPOS Approvals for release of privileged accounts are documented (e.g. Yes
within the TfSNow ticket)
RPO6 Privileged accounts are only made available for the approved time Yes
period
RPO7 The password is changed (as per the password policy rules) when the I Yes
privileged account is returned, or the end time period is reached
RPO8 The details of the request, approval, time period, and password Yes
change actions are recorded in a central log for at least 12 months
Table 7 — SecOps Managed Privileged Account Release Policy
5.8 Password Management Requirements
Credentials assigned to an individual must be treated as confidential information. No employee is allowed
to handover their own account credentials or any credentials released to them under the process described
in Section 5.7 to another person, including IT staff, administrators, superiors, other colleagues, friends, or
family members. Shared Privileged accounts managed by local POA teams must comply with the Sub-
Master and Password Policies and must be administered as stated in the section above “Storage of
Privileged Passwords”.
If someone demands your password or you suspect someone knows your password or is using your
account, immediately change the compromised credential and contact POA SecOps to raise a Security
Incident.
5.9 Protecting Passwords
Ata minimum the following steps are to be taken to protect passwords:
e Users must be able to change non-centrally managed passwords themselves.
e Avoid typing your password in the presence of others.
e Passwords must be kept securely and must not be accessible for anyone else (e.g.
programmable keys on the keyboard or written on paper and placed under the keyboard).
co If you have difficulty in remembering your password, store it in a password safe or
encrypted file.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 16 of 22
FUJ00243144
FUJ00243144
POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Passwords must not be stored in any applications, system folders or Cookies
co If you have difficulty in remembering your password, store it in a password safe or
encrypted file.
e “Remember password” or "Save automatically" features of applications should be avoided
o Web browser password managers can be used provided the “synchronise passwords”
feature is avoided so the passwords are only stored locally
e If possible, don't use the same password to access multiple company systems unless this is
controlled by a Fujitsu approved Single Sign On (SSO) solution.
5.10 TESQA Accounts
The creation of TESQA accounts, and the re-enablement of existing TESQA accounts, must be done
following the POA JML process and must not be performed without prior approval from POA SecOps.
5.11 iKey Exemptions
Users are required to use an MFA token (iKey) to access the support terminal servers (SSNs) unless
they have been granted membership of the
It is recognised that iKeys can exhibit faults thereby rendering authentication impossible. The!
llows users to access POA systems without
‘using MFA. Only users in this group will be able to logon without using iKey MFA.
All other Live system SSNs always enforce the use of MFA using an iKey.
exists as a permanent member of the!
and must be requested under the process described in Section 5.
Auser account
group. This is a bi
Use of th 7 will only be released to a member of the POA NT support team.
5.11.1. Emergency iKey Exemption Process
In the event of an issue with a support user's MFA token or the MFA solution, action will be required to
add the support user's account to the MSAD\ikey-exemptou-users group so that they can logon to the
Live systems via the iKey exempt SSNs. This emergency iKey exemption will then allow them to login
with their own credentials without MFA. This MUST only be done after a TfSNow Incident has been
raised AND pre-approved by SecOps following the process below Once the MFA issue is resolved, the
user will be removed from the group to restore mandatory MFA authentication.
This process describes the following roles and how they must work together:
e Support User — is the POA support specialist that needs to logon to perform a task
e NT Support User — is a POA Windows skilled support specialist
« SecOps — the POA Security team that approve any exemptions to the mandatory use of iKey
MFA authentication
The process below starts when a Support User experiences MFA issues and cannot proceed to logon to
the POA environment with their iKey.
1. The Support User raises a TfSNow Incident to record that they have an MFA issue and
routes it to SecOps.
a. Note: If the Support User does not have access to create the TfSNow Incident
themselves then they should contact the POA Major Account Controller (MAC) team at
2. cide if the Support User's account should be added to
IRRELEVANT group
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR _ Date’ 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 17 of 22
FUJ00243144
FUJ00243144
POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
a. If SecOps do not provide approval, then the process ends, or reverts to the start for re-
consideration
b. If SecOps provide approval, then they will update the TfSNow Incident accordingly and
route the TfSNow Incident to the NT Support User
3. The NT Support User Support User account approved by SecOps (that has the
MFA issues) to the: IRRELEVANT group
a. lfaNT Support ‘User is also unable to use iKey MFA then they can follow the POA
[ LIRRELEVANT I account credentials
b. “Once approved, SecOps release the credentials to the NT Support User
c. The “NT Support Access” logs on to a SSN in the iKey exempt OU
“} group
NOTE - the “} user account is only to be used for this
task. All other actions are to be taken using the Support User’s own
credentials
e. The NT Support User signs out as
f. The Support User and the NT Support User are then able to log on to a SSN in the iKey
break glass account back in with
” - of SVM/SEC/PRO/4537 - POA
g. The NT Support User checks. the! 7
SecOps as described in Section 4 “
Privileged Account Rt
h. SecOps confirm the I
TfSNow ticket is correctly update
4. The NT Support User updates the TfSNow Incident to note the action taken
5. Support User logs on via an SSN in the iKey exempt OU and continues their required tasks
6. SecOps will monitor the MFA issue until resolved
a. If the underlying MFA issue has been resolved
i. SecOps will ensure the Support User and NT Support User accounts are
removed from the I_______ IRRELEVANT. group
b. If the underlying MFA issue has not been resolved
i. SecOps will consider an extended time-bound continuation of the MFA.
exemption for the Support User account to remain in the!
fnsetevarigroup. The TSNow Incident will be updated accordingly by SecOps
ii. If SecOps approve the continuation, no further action is required, and the
Support User account remains in the: jroup
iii. If SecOps reject the continuation, then Sect ipport User to
remove the Support User account from the:
7. SecOps confirm the ! sgroup ‘has the correct entries and that the
TfSNow ticket has appropriate updates
6 Service Accounts
6.1 Service Account creation
Service Accounts must be requested via the POA JML process so that they are correctly approved and
recorded on the Privileged Account Register maintained by POA SecOps. Where they are generated
automatically by systems, POA SecOps must be notified of the Service Accounts created so they can be
recorded.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 18 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
The platform and/or service owner should complete the relevant JML form that is available from POA
SecOps or from the POA intranet page. There are several fields that must be completed. These will be
checked before approval is granted for the new service account to be created at which point POA
SecOps will raise tickets in either TfSNow or Peak for the relevant system owner to create the approved
service account.
POA Integration may also be requested to create an updated baseline containing the service account
details (account name and password) which would then go to POA Release Management for the
planning and deployment of the new service account to be scheduled into a release specific for each
environment.
All service account requests must be based on the principle of least privilege ensuring the accounts
created have only the privileges required. Using unique service accounts for each task is a stronger
security practice and adheres to service account isolation. By doing this, it prevents increased privileges
on any one account which can happen when a service account is used for multiple services, resulting in
merged privileges which then violates the principle of least privilege. By adhering to the principle of least
privilege and service account isolation, this helps to reduce the attack surface and lateral movement
between services should an account be compromised.
6.2 Service Account password expiry
Service Account passwords are set not to expire by design. This is typically because if a service account
password expires, the service the account supports may cease to work.
If a Service Account password is compromised in any way, it should be changed.
6.3 Requesting a Service Account password change
If there is a need to change a service account password, the platform/service owner who requires the
Service Account password to be changed should contact POA SecOps (email:
cspoa.security, with details of the service account. Details to include:
e What service(s) the account supports
* The Service Account name
e What platforms and/or domain account the service account is to be deployed to
« Why the service account needs to be changed
6.4 Deleting/Disabling a Service Account
If a Service Account is no longer in use, it should be disabled. The POA JML process should be followed
using a “Leaver” notification.
POA SecOps will then manage the process of the controlled removal of the service account.
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 19 of 22
FUJ00243144
FUJ00243144
POA Pi
ged Account Policy
Fs}
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Appendix A — Master Policy Rules (information only)
The Master Policy rules set a vision for POA. If POA deployed Privileged Access Management (PAM)
toolsets, then these rules would be integral to that solution. POA does not have such a toolset, so some
of the Master Policy rules are challenging, or impractical to achieve. Every effort must be made when
changes are implemented in any parts of the solutions on POA to move towards compliance with the
Master Policy. The Master Policy is shown in Appendix A for reference only.
Compliance with the Master Policy is considered highly desirable for all privileged accounts in use on
POA.
A.1 Master Policy Rules
The table below details the Master Policy references and associated policy rules. Items marked with an
asterisk in the Highly Desirable column are not applicable to Service Accounts.
All privileged accounts that are held on the POA SecOps Register record the compliance to these policy
references. Any non-compliant responses show the reason for the non-compliance and once approved
by POA SecOps, be deemed to be approved exceptions to the policy.
The privileged account has a clearly stated named owner
MP02 The privileged account is held in a central tool and is only available on receipt of Yes*
an authorised request
MPO3 The privileged account password is not known to potential users until it is Yes*
needed and provided by the central tool on receipt of an authorised request
MPO4 The privileged account, ifa Service Account, must not permit human interactive Yes
logon
MPOS The privileged account password complies with the Password Policy rules Yes
MPO6 Superseded by MPO8. ignore
MPO7 Superseded by MPO8. ignore
MPO8 The timestamp for the periods of time over which a privileged account is used Yes
are recorded and stored for at least 12 months
MPO9 The actions taken by the privileged account are recorded and stored on the local Yes
systems for at least 1 months
MP10 The actions taken by the privileged account are recorded and stored centrally for Yes
at least 12 months
MP11 Whenever practical, the actions taken by the privileged account are witnessed by Yes*
another entity (e.g. user) the details of the entity that witnessed the actions are
stored where they can be queried for up to 12 months
MP12 The privileged account can only be used by one person at a time Yes*
MP13 The privileged account password must be changed after each use Yes*
MP14 There must be a documented list of all parties/systems that have authorised Yes
access to use the privileged account
MP15 Privileged account credentials must be securely stored (e.g. in a Password Yes*
Manager/encrypted file) or not stored at all
MP16 Privileged accounts must require the use of Multi-Factor Authentication Yes*
Table 8 — Master Policy Rules
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version: 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 20 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Appendix B — Oracle Privileged Access Management
Ways of working
B.1 Standard Operating Procedure (SOP)
POA Oracle database access must comply with the following directives:
e Users use their own user account to access the databases via sqlplus
e All sudo access must be initiated from the users own MSAD account on the server hosting the
database to be accessed
e Users may sudo to the grid user but may only access the ASM SID database instance as
SYSASM
« sudo must not be used to open an interactive shell to either the oracle or grid users (opening a
unix shell via sudo as the oracle or grid users means subsequent commands (sqlplus for
example) are attributed to the sudo user rather than the original user. Running a command as
oracle or grid users via sudo is logged to /var/log/secure and is attributable to the original user.)
B.2 Exceptional access to Oracle user account
Access other than that defined in the SOP above may be granted according to the following directives:
e Access outside of the SOP requires authorisation from POA SecOps
« A TfSNow incident must be raised to record the reason for the access and the duration
e The TfSNow incident should be raised in advance of the access but may be raised
retrospectively where a live incident takes precedence
e Access must be for the minimum time required to resolve the issue
« The PuTTY session must be recorded (via the PUTTY logging mechanism) and a copy of the
PuTTY session log must be attached to the TfSNow incident
e POA SecOps must be informed when the exceptional access is terminated.
B.3 Access examples
B.3.1 SOP access examples:
e Generic form to run any command as the logged in user or as the grid or oracle users:
<command1>[;<command N>]
« Access an interactive sqlplus prompt as the logged in user who is a member of the unix dba
group:
sqlplus / as SYSDBA
e Runa database query as the logged in user:
export ORACLE_SID=BRDB1; echo 'show p:
grep audit_file dest
' I sqlplus / as SYSDBA I
e Generic form to run any command as the grid or oracle users:
sudo -u <oracleIgrid> -i /bin/bash -c “<command1>[;<command N>]"
e Examine an audit file for the oracle or grid users
expo ORACL' ID=BRDB1; echo ‘show parameter audit' I sqlplus / as SYSDBA I
grep t_file dest
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 21 of 22
FUJ00243144
FUJ00243144
ee] POA Privileged Account Policy
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
cle -c ‘ls -lrt /u01/admin/BRDB/adump I tail -1'
sudo su - oracle -c ‘less /u01/admin/3RDB/adump/
BRDB1_ora_22391_20221125115501575867143795.aud'
export ORACLE_SID=+ASM1; echo ‘show eter au ' I sqlplus / as SYSASM I
grep audit_file dest
sudo su - d -c ‘less
/201/app/11.2.0/grid/rdbms/audit/+ASM1_ora_7152_20221124104051138619143795.a
ud!
sudo su - grid -c ‘ls -lrt /w01/app/11.2.0/grid/rdbms/aud I tail -1'
B.3.2 Exceptional access examples:
e Access a unix shell as the oracle or grid user:
sudo -u oracle -i
sudo -u grid -i
e Access an interactive sqlplus prompt as the oracle or grid users:
sudo -u oracle -i /bin/bash -c “export ORACLE_SID=BRDB1; sqlplus / as
SYSDBA"
sudo -u grid -i /bin/bash -c "export ORACLE_SID=+ASM1; sqlplus /
sudo -u grid -i /bin/bash -c "export ORACLE_SID=+ASM1; asmcmd"
SYSASM"
e Display the audit files location:
sudo -u oracle -i /bin/bash -c “export ORACLE_SI
I sqlplus / as SYSDBA I grey
i /bin/bash -c “export ORACLE_SID=+ASM1; echo ‘show parameter
I sqlplus / as SYSASM I grep audit_file dest"
RDB1; echo ‘show
B.3.3 Not permitted examples
« Open an interactive shell as root to subsequently su to oracle or grid users:
sudo su -
su ~ <oracleIgrid>
B.4 sudoers modifications
DES/SEC/ION/2591 describes the sudoers integration with AD via sssd. Changes are required to the
sudoers AD delivery to facilitate limited user access to the grid and oracle accounts without requiring root
access.
The following configuration snippet permits members of the dba unix group access to the oracle and grid
accounts on the Oracle database servers defined in the ORACLEDBSERVERS Host_Alias to execute
any command.
Host_Alias ORACLEBRSS
%dba ORACLEBRDB, ORACLENPS, ORACLEDAT, ORACLEBRSS=(oracle,grid) NOPASSWD: ALL
© Copyright Fujitsu 2024 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/POL/4538
CONFIDENCE) Version 4.0
UNCONTROLLED WHEN PRINTED OR Date: 23-May-2024
STORED OUTSIDE DIMENSIONS Page No: 22 of 22