Access Control Policy
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 22-01-2020 | 3.5 | Approved | Internal | AMS DOC | AMS-SP-11 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 28-06-2013 | 2.2 | Initial Version | ||||
| 07-04-2015 | 3.0 | Revamped as part of ISMS Transition | Praveen | Premanand, Praveen | Premanand | |
| 23-03-2016 | 3.1 | Reviewed and No changes recommended | ||||
| 20-07-2017 | 3.2 | Reviewed no changes done | ||||
| 10-08-2017 | 3.3 | Replaced shall with will | ||||
| 07-08-2018 | 3.4 | Reviewed “Review of user Access rights” section | ||||
| 24-12-2019 | 3.5 | Changes made as per the standard Document, revised to align with industry best practices | Praveen | Shaila, Usha | Suresh | 22-01-2020 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
Introduction
This procedure details the requirements for a user to access the application systems in ASL computing environment.
Standard Reference
- ISO/IEC 27001; Clause 9
Scope
User Access management process is applicable in three circumstances, which are mentioned below:
When a new user joins the organization (creation)
When a user changes department/ role (modification)
When a user leaves the organization.
Customer access management
Key Practices & Responsibility
The key practices and responsibilities are as follows:
| Srl. | Key Practice | Responsibility |
|---|---|---|
| User Creation Process | IT Support | |
| User Access Modification Process | Facilities Helpdesk/ IT Support | |
| User Deletion Process | IT Support | |
| Privilege Management (Domain) | IT Support | |
| Privilege Management (Internal Tools) | Tools Development Lead | |
| Password Management | Tools Development Lead/ Domain Administrator /Email Administrator | |
| User Account Review | Application Support | |
| Active Account Reconciliation | Server Lead/ ADS and Email Expert | |
| Handling Inactive Accounts | IT Support | |
| User access registration and de-registration process in the project | PO/PM | |
| Customer access management | IT Support | |
| Vendor/Visitor access management | IT Support |
Key Practice Details
User Creation Process
When a new user joins the organization, HR Team will provide the details of the employee to the IT Support using the User Registration Request ticket approved by the Head-HR.
For creation and access to the Network, Domain, Emails the following information must be provided at a minimum:
Employee first name and last name
Preferred Email ID
Function Head or Group Head
Role
The IT Support is responsible for getting domain ID, email address created in a standard format as decided by ASL and for creation of the user ID in the domain and the mail server database.
A record of access rights granted to users on information systems and services are maintained.
User Access Modification Process
When a user changes department/role or if allocated to different function, the employee movement information should be communicated to the HR/Admin and IT Support using the User Movement Information ticket.
For modification of access to the Admin, Server(Domain, Email) and Network the following information must be provided at a minimum:
Employee ID
Employee name
Function/Group
Group Head – Previous and Allotted
Access Required between
Start date
End date
Access Required To
- Floor
Employee will raise the ticket to Group Head for approval. This Request will be forwarded to HR/Admin.
Based on the User Movement Information ticket, HR/Admin Helpdesk will address the request and provide the seating allocation information to IT Department for further action, if any.
The IT Support is responsible for modification of the user access in the Desktop Side, Server (Domain and Email), and Network.
HR will validate the request and close after ensuring that all the necessary accesses are provided.
User Deletion Process
When a user leaves the organization or the user is absconding from work, HR Team will submit the User Deletion ticket approved by the Head-HR to the IT Support.
The IT Support will de-activate/delete the email address and the domain user account.
The HR Team must obtain clearances from the relevant departments prior to issuing the relieving letter for the employee.
A record of access rights deleted on information systems and services are maintained.
Privilege Management
Privileges in the domain will be decided based on the relevant project or support groups.
The function head will decide on the standard list of access required for the group. This access list will be communicated to the IT Support.
The IT support will then be responsible for providing access.
Generic/functional accounts will not be used for any activities. Users will have to use individual accounts for managing/monitoring activities.
IT Head will share the access list on a quarterly basis which will be validated by Group Head.
Segregation of duties
Conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organizations assets.
Care is being taken to ensure that no single person can access, modify or use assets without authorization or detection.
Password Management
The password settings will be configured on the domain controller as per password policy.
User Account Review
Domain Account Review
The IT support will be responsible for reviewing the user accounts on the domain controller and recording the following:
Inactive accounts
Locked accounts due to bad password logins
Accounts of resigned employees
All locked accounts will be reviewed and enabled only after validation from the account owner.
The IT Support will initiate action of disabling the user accounts of resigned employees after HR Team sends the request.
Email Account Review
The IT Support team will be responsible for reviewing the user accounts on the mail server and recording the following:
Inactive accounts
Accounts of resigned employees
The IT Support will initiate action of disabling the user accounts of resigned employees after intimation from HR Team.
Email ID Request
HR Team will raise Email ID Requests using the Email ID Request template for creation, modification or deletion of email ids or group id/distribution lists and send it to the IT Support.
Group Head will raise Email ID requests using the Email ID Request template for function specific requirements and send it to the IT Support.
The IT Support will service the Email Id request.
Active Account Reconciliation
The IT Support will generate email id tracker from email server and active directory with the email ids and forward the tracker to HR team as on last working day of the month..
The Access Control Administrator generates a list of active physical access accounts from access control application and forwards the list to HR team.
The HR Team generates a list of active employees from Human Resource Tool.
HR team will check the information provided by IT and Facilities against Employee list and will prepare a reconciliation report.
This reconciliation is done once a month. A record of the reconciliation will be maintained.
If any discrepancies are found between the employee list, physical access list, email id tracker, HR team will intimate IT and Facilities. IT support, Access Control Administrator will analyze the cause for the differences and take appropriate corrective action.
The IT support will also raise an Information Security Incident for the differences found. The Information Security Incident is handled as per Procedure for Incident Management.
The Access Control Administrator will also raise a Physical Security Incident for the differences found. The Physical Security Incident is handled as per Procedure for Incident Management.
After reconciliation, HR Team validates against any training covered during that month.
HR will send the validated reconciliation report will be sent to Quality as a record by end of second week.
Handling Inactive Accounts
ASL will ensure that only active users who actually require access at the present time have system access.
The accounts of users who have not logged on in the past 60 days will be locked or disabled. For example consider the following cases:
Maternity leave that extend beyond 60 days.
Medical leave that extend beyond 60 days.
Daily reports will be generated by IT support Team listing the active domain accounts
The domain user accounts of users who have not logged on in the past 60 days will be locked or disabled
The IT Support Team will inform the HR Team desk of user account disablement.
In addition, HR Team will review the user accounts and reconcile with IT for revoking or disabling user logical access rights of inactive constituents at least once in a month.
IT will also delete user accounts for absconding cases as per the HR requests.
Customer Access Management
Customer may need logical ASL access for:
Internet access.
Access to Production servers.
Internet access
Normally this will be short duration trips like audits, assessments etc
On request, they will be connected through segregated internet line for internet access. This broadband connection will be outside ASL’s corporate network connectivity.
Note: Customer laptops will not be connected to ASL’s corporate network
Consultant/Vendor/Visitor access management
On request, they will be connected through segregated internet line for internet access. This broadband connection will be outside ASL’s corporate network connectivity
For Contractor /Consultant/ service provider staff and visitors / customer representatives requiring longer duration of work stay at ASL who may need temporary network access facilities particularly for emails or for some software demonstrations / trainings, specific access rights will be provided to the contractor / third party staff / visitor for a specified period on request by concerned function head.
System and Application Access Control
Information access restriction
Information access restriction: Access to information and application system functions by users and support personnel will be restricted in accordance with the defined access control policy.
Based on business application requirements, the restrictions in access will be enforced such as providing menus to control access to application system functions and user access rights.
All business applications will have user login IDs and passwords to establish credentials before access is gained. Where applicable, second level of authentication based on PKI/biometric will be enforced.
Sensitive Information Systems like Firewall, Network Devices, Servers, Database and Repository will be accessed only by the authorized personnel as identified by the respective Department Heads. Authorization will be done by the Department Head and it will be recorded in the privilege management and roles & responsibilities document.
The Developmental Data Centre will be accessed by the IT team. However, if a non-IT person intends to visit it, then, it will be authorized and accompanied by an IT team member. The same will be recorded.
The Production Data Centre visit by any IT staff will be authorized by the IT Manager/Senior IT Manager.
Whenever new information processing facilities are added, the section of people eligible for accessing/managing it will be recorded in the privilege management and roles & responsibilities document.
Secure log-on procedures:
Access to information systems will be controlled by a secure log-on procedure.
Access to operating systems will be password based.
Computers will not display system or application identifiers until the log-on process has been successfully completed. A general warning message will be displayed on the screen while log-on process is being completed and this has to be acknowledged by the user of the computer system prior to getting any access rights.
PKI based authentication is enabled for application access by users/employees.
ASL information systems do not provide Help messages during logon.
Applications are designed to validate the log-on information only on completion of all input data. During any error scenario, the system blocks the user.
All successful and unsuccessful attempts are logged.
Inactive sessions are terminated after 10 minutes of inactiveness.
Passwords are not shown in clear text during log on process. Passwords are encrypted and do not send in clear text.
Use of privileged utility programs
The use of utility programs that might be capable of overriding system and application controls will be restricted and tightly controlled.
Users will not have access rights to download utility programs that can override system and application controls. If users require any software to be installed, it must be brought to IT teams notice.
Utility programs are segregated from the application software.
Use of utility programs are restricted and authorized by appropriate authority.
Available and permissible utility programs are logged and a record is kept for all the users.
Access control to program source code
Access controls to program source code and associated items such as designs, specifications, verification plans and validation plans are controlled, in order to prevent the introduction of unauthorised functionality and to avoid unintentional changes as well as to maintain the confidentiality of the critical data. The following controls are implemented at ASL to protect program source code:
Program source code is stored and archived in central storage.
Access to storage is restricted and controlled to authorised personnel only (developers).
CVS (concurrent versioning system)/Git are used at ASL.
Change control and version control is used to identify and restrict any unintentional changes.
Type of Access for VP/Senior VP
Senior vice presidents and Vice presidents are being given with the administrative privileges (LOCAL) on their respective laptops for understating and planning the business needs.
They will take outmost care to ensure that the ASL network is not maligned by connecting infected computers.
They will ensure proper antivirus and Operating system patch/hotfix updates.
They will be held responsible for any such threat exploiting ASL network and causing impact to business operations by noncompliance of this policy, and Acceptable usage policy agreement.
Type of users and their level of access on servers
- “Any activity performed on the production servers are the responsibility of IT manager”
System Administrator
System level rights
Enterprise administration
Full access on all files including system files
Access log files
Backup administrator
User creation /deletion and assigning privileges
Auditing of user activities on files/folders
User
No access to any of the application file/folders
View access for folders
Performance monitoring
View access for event & system logs
Database Administration
“Any activity performed on Oracle Database & Database server is the responsibility of DBA”.
DBA access the Database server as limited access user.
DBA has full privileges (Read, Write & Modify) access on Oracle Database.
All activities of DBA are being logged.
The following activities are being performed:-
Monitoring
Creation /Modification of schemas
Backup
Network Administration
“Any activity performed on network environment is the responsibility of Senior Network Engineer.”
Network Administrator access network devices for maintenance, troubleshooting.
Administrator access of all the devices such as Cisco Switch, Firewall is in possession with Senior Network Manager.
He frequently checks the firmware, Health status of l, verification & monitoring of system access.
All the activities of DBA, Network administrator and system administrator are verified and monitored by Head IT.
References
| Srl. | Document/Section Name |
| Password Management Policy | |
| Physical Environmental Security Policy | |
| Individual's Privileged Access Agreement | |
| Acceptable usage policy agreement. |
Implementation Artifacts
| Srl. | Template ID | Artifact Name |
| F-URR | User Registration Request | |
| F-UDR | User Deletion Request | |
| F-EIDR | Email ID Request | |
| F-UMIR | User Movement Information Request | |
| CH-UM | User Movement Checklist |