IT KORR Knowledge Center
Authentication and Access Policy
Informed by HIPAA Security Rule and PCI DSS Requirement 8
1. Purpose
This policy establishes [Organization Name]'s requirements for authenticating and authorizing access to information systems, covering multi-factor authentication, context-aware access control, privileged access, and session management, aligned with Informed by HIPAA Security Rule and PCI DSS Requirement 8.
2. Multi-Factor Authentication
Multi-factor authentication is required for all user accounts without exception, including remote access and any access originating from outside the organization's network.
Administrative and other high-value accounts are required to use phishing-resistant authentication methods (hardware security key or platform authenticator/passkey) rather than code-based methods.
Legacy authentication protocols that do not support multi-factor authentication are blocked entirely.
3. Context-Aware Access Control
Access decisions are evaluated using context-aware policy (Conditional Access or equivalent) accounting for sign-in risk, device compliance, and location, not credentials alone.
Access to sensitive applications additionally requires a compliant or managed device.
- Break-glass accounts: 2, excluded from context-aware access policy, secured with strong unique credentials, and actively monitored.
- New or modified context-aware access policies must be tested in report-only (non-enforcing) mode before enforcement.
4. Privileged Access
Administrative role assignments use just-in-time activation, requiring justification and, for the highest-risk roles, approval, rather than standing permanent privilege.
Standing privileged role assignments, and service account privilege scope, are reviewed at least quarterly.
5. Single Sign-On
Single Sign-On is required for all business applications that support it, centralizing authentication policy enforcement.
Local password fallback is disabled for any application once SSO is confirmed working, closing the bypass path around centralized policy.
6. Session Management
Session tokens for sensitive applications expire after 12 hours, after which re-authentication is required. Sessions may be explicitly revoked as part of incident response or offboarding.
7. Enforcement and Review
This policy is technically enforced through [Organization Name]'s identity platform and reviewed at least annually, or upon a significant change to applicable regulatory requirements, referenced guidance, or a security incident. Last generated: July 10, 2026.
8. References
- Informed by HIPAA Security Rule and PCI DSS Requirement 8
- IT KORR Knowledge Center — Identity & Access Management: /knowledge-center/cybersecurity/identity-access-management