MALLINCKRODT

Doc Title: Access Control Policy

1. Purpose
1.1. The purpose of this policy is to outline requirements related to logical, physical and paper-
based access management controls to protect Company information assets.

2. Scope
2.1. Technical and procedural access controls related to global Company servers, networks and
applications, facilities and paper documentation.

3. References
3.1. POLICY-0302 Enterprise Cyber Security Policy - Global

4. Definitions

4.1. Public information – information or data that is publically available

4.2. Confidential information – information that is not publically available

4.3. Information Risk Committee – business leaders that are responsible for making risk
management and policy decision related to cyber-security, privacy, eDiscovery and continuity
planning

4.4. Business Insights & Technology Solutions (BI&TS) Leadership – The Chief Information &
Digital Officer and direct reports.
4.5. Active Directory – a system developed by Microsoft to centralize the management of
computers and User Accounts and to provide authentication and authorization.
4.6. Company Information – any data produced by or on behalf of the Company or its employees
that is not publically available
4.7. Least Privilege – the principle that users and programs should only have the necessary
privileges to complete their tasks and no more.
4.8. Privileged Account – a User Account (as defined herein) that is authorized to perform
security-relevant functions that ordinary users are not authorized to perform such as installing
updates and application software, managing User Accounts and modifying system settings.
4.9. Service Account – an account that is not associated with a person that is used to perform
functions on a computing system.
4.10. User Account – an account with limited privileges that is used to perform general system
activities.
4.11. User ID – a unique value used by an information system to identify a specific user.

5. Responsibilities
5.1. All Company employees, contractors, sub-contractors, joint ventures, board members, and
vendors must comply with this policy.
5.2. The Company’s Chief Digital & Information Officer (CD&IO) is responsible for establishing
and administering all Cybersecurity policies.
5.3. Business Insights & Technology Solutions (BI&TS) Leadership - the CD&IO and direct
reports are responsible for approving any exceptions to this policy.
5.4. Information Risk Committee is responsible for risk management and policy decisions.

Page 1 of 3

CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0303 Rev:6 Vault:CLT-IT Effective Release Date:09 Oct 2020 Valid as of:10 Oct 2020
 MALLINCKRODT
Doc Title: Access Control Policy

6. Policy
6.1. User Account Management
6.1.1. User authentication controls shall be implemented to protect all information assets that
verify the identity of an individual and confirm authorization prior to allowing access to
Company information assets.
6.1.2. Specific authorization and approval shall be obtained prior to granting access to computing
systems.
6.1.3. Access shall be removed when employees leave the company or when a contractor,
supplier or other third party responsibilities are no longer necessary or appropriate.
6.1.4. Periodic access reviews shall be performed to confirm the ongoing appropriateness of
access, unnecessary access shall be removed in a timely manner and evidence of review
shall be maintained.

6.2. Least Privileged

6.2.1. Privileged accounts shall not be used for day-to-day system activities
6.2.2. Privileged accounts shall be disabled immediately upon termination

6.3. Session Lock

6.3.1. After a period of inactivity, desktop and laptop systems shall require re-authentication
6.3.2. Users shall lock desktops and laptops when leaving them unattended.

6.4. User ID Management

6.4.1. User IDs shall not be the same as public identifiers such as email accounts
6.4.2. Each User ID shall be unique within the system
6.4.3. User Accounts shall never be shared
6.4.4. User IDs shall be assigned to specific individuals

6.5. Password Management

6.5.1. Passwords shall be a minimum of eight (8) characters.
6.5.2. Password complexity shall enforce upper case, lower case, numeric and special characters
6.5.3. Temporary passwords shall be unique to an individuals
6.5.4. Service account passwords shall be limited to the fewest number of individuals practical.

6.6. Password Lifecycle

6.6.1.User passwords shall expire every 90 days. Accounts must lock for passwords that are not
changed by the expiration date.

Page 2 of 3

CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0303 Rev:6 Vault:CLT-IT Effective Release Date:09 Oct 2020 Valid as of:10 Oct 2020
 MALLINCKRODT
Doc Title: Access Control Policy

6.6.2. Password history shall prevent reuse of recent passwords. Systems shall be configured to
prevent password reuse to the maximum history allowed by the software.

6.6.3. Default vendor passwords shall be changed immediately following installation of systems
or software.

6.7. Password Protection

6.7.1. Passwords shall not be transmitted or stored in an unencrypted format.
6.7.2. Passwords shall not be written down or stored electronically in a repository without
appropriate security and controls in place.
6.7.3. User passwords shall not be shared with anyone other than the account owner.
6.7.4. Passwords shall be obscured where technically feasible during the entry of any information
system login screen
6.7.5. Where technically feasible, accounts must lock for a minimum of 30 minutes after three (3)
consecutive failed password attempts.
6.7.6. Anyone suspecting that a password may have been compromised must report the incident
to the Cybersecurity team and immediately change all passwords.
6.7.7. First time or temporary passwords shall be changed immediately upon first logon.
6.7.8. Failed login messages should not indicate if the password or User ID was incorrect.
6.7.9. Password reset procedures shall validate a user’s identify.

6.8. Physical Access and Paper Controls

6.8.1.Physical access to information systems, data, technology or confidential paper
documentation shall be restricted based on business need and appropriate authorization.
6.8.2.Employees and authorized third parties shall not leave confidential paper documentation on
desks or in unsecure locations.
6.8.3.Access shall be logged.

6.9. Exceptions to Policy

6.9.1.Exceptions to this policy may be implemented only after a risk analysis has been conducted
and written approval has been provided by BI&TS Leadership.

7. Attachments

7.1. None.

8. Revision History

Revision No. Change Description

6 Revised entire policy based on restructuring of the legacy Information Technology
department into a new Business Insights & Technology Solutions organization.
Updated title

Page 3 of 3

CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0303 Rev:6 Vault:CLT-IT Effective Release Date:09 Oct 2020 Valid as of:10 Oct 2020
 MALLINCKRODT
Doc Title: Access Control Policy

Signature Manifest
Document Number: POLICY-0303 Revision: 6
Title: Access Control Policy
All dates and times are in UTC.

POLICY-0303 Access Control Policy

DCC Review

Name/Signature Title Date Meaning/Reason

Megan Vernak
Director, Product Monitoring 08 Sep 2020, 08:45:44 PM Approved
(MEGAN.VERNAK)

Create/Revise

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
08 Sep 2020, 09:09:30 PM Complete
(ELIZABETH.BUNTING)

Peer Collaboration

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
08 Sep 2020, 09:09:54 PM Complete
(ELIZABETH.BUNTING)

Doc Control Review

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
08 Sep 2020, 09:10:53 PM Complete
(ELIZABETH.BUNTING)

Manager Training Approval

Name/Signature Title Date Meaning/Reason

Pat Roche (PAT.ROCHE) 08 Sep 2020, 09:21:06 PM Approved

Author/Department Approval

Name/Signature Title Date Meaning/Reason

Pat Roche (PAT.ROCHE) 08 Sep 2020, 09:22:57 PM Approved
Megan Vernak
Director, Product Monitoring 09 Sep 2020, 12:28:52 PM Approved
(MEGAN.VERNAK)

Final QA Approval

Name/Signature Title Date Meaning/Reason

Elizabeth Collins
VP, Global Quality 09 Sep 2020, 12:56:38 PM Approved
(ELIZABETH.COLLINS)

Training

CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0303 Rev:6 Vault:CLT-IT Effective Release Date:09 Oct 2020 Valid as of:10 Oct 2020
 MALLINCKRODT
Doc Title: Access Control Policy

Name/Signature Title Date Meaning/Reason

Tom Kowal (TOM.KOWAL) 09 Oct 2020, 04:18:50 PM Approved

Change Control Approval

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
09 Oct 2020, 04:25:10 PM Approved
(ELIZABETH.BUNTING)

Set Dates

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
09 Oct 2020, 04:25:30 PM Approved
(ELIZABETH.BUNTING)

Notification

Name/Signature Title Date Meaning/Reason

mary lanney (MARY.LANNEY) 09 Oct 2020, 04:25:31 PM Email Sent

CONFIDENTIAL AND PROPRIETARY Doc #:POLICY-0303 Rev:6 Vault:CLT-IT Effective Release Date:09 Oct 2020 Valid as of:10 Oct 2020