Document Name: | ACCESS CONTROL & USER ACCESS MANAGEMENT POLICY |
|
|
Classification: | Internal |
|
|
Document Owner: | CISO/MR- |
|
|
Document Approver: | Top Management |
|
|
Original Document Issue Date: | 10/09/2023 |
|
|
Current Edition: | Version 2.0 |
|
|
Revision History: |
|
|
|
S. No. | Description of Change | Date of Change | Version No. |
1 | Initial Release | 10/09/2023 | 1.0 |
2 | Second Release | 10/09/2024 | 2.0 |
1. Policy Statement
1.1. Protecting access to IT systems and applications is critical to maintain the integrity of the LEGISTIFY SERVICES PRIVATE LIMITED (herein after referred to as LEGISTIFY SERVICES PRIVATE LIMITED) technology and data and prevent unauthorised access to such resources.
1.2. Access to LEGISTIFY SERVICES PRIVATE LIMITED systems must be restricted to only authorized users or processes, based on the principle of strict need to know and least privilege.
2. Background
2.1. Access controls are necessary to ensure only authorized users can obtain access to LEGISTIFY SERVICES PRIVATE LIMITED information and systems.
2.2. Access controls manage the admittance of users to system and network resources by granting users access only to the specific resources they require to complete their job related duties.
3. Policy Objective
3.1. The objective of this policy is to ensure LEGISTIFY SERVICES PRIVATE LIMITED has adequate controls to restrict access to systems and data.
4. Scope
4.1. This policy applies to:
a. All employees including temporary employees, consultants, contractors, agents and authorized users accessing Institution IT systems and applications.
b. All IT systems or applications managed by LEGISTIFY SERVICES PRIVATE LIMITED that store, process or transmit information, including network and computer hardware, software and applications, mobile devices, and telecommunication systems.
5. Definitions
5.1 “Access Control” is the process that limits and controls access to resources of a computer system.
5.2 “Users” are employees including temporary employees, consultants, contractors, agents and authorized users accessing LEGISTIFY SERVICES PRIVATE LIMITED IT systems and applications.
5.3 “System or Application Accounts” are user ID’s created on IT systems or applications, which are associated with specific access privileges on such systems and applications.
5.4 “Privileged Accounts” are system or application accounts that have advanced permissions (as compared to regular user account permissions) on such systems or applications.
5.5 “Access Privileges” are systems permissions associated with an account, including permissions to access or change data, to process transactions, create or change settings, etc.
5.6 “Administrator Account” is a user account with privileges that have advanced permissions on an IT system that are necessary for the administration of this system. For example, an administrator account can create new users, change account permissions, modify security settings such as password settings, modify system logs, etc.
5.7 “Application and Service Accounts” are user accounts that are not associated with a person but an IT system, an application (or a specific part of an application) or a network service.
5.8 “Non-disclosure Agreement” is a contract between a person and LEGISTIFY SERVICES PRIVATE LIMITED stating that the person will protect confidential information covered by the contract, when this person has been exposed to such information.
6. Guiding Principles – General Requirements
6.1. LEGISTIFY SERVICES PRIVATE LIMITED will provide access privileges to companies (including networks, systems, applications, computers and mobile devices) based on the following principles:
1. Need to know – users or resources will be granted access to systems that are necessary to fulfill their roles and responsibilities.
2. Least privilege – users or resources will be provided with the minimum privileges necessary to fulfil their roles and responsibilities.
6.2. Requests for users’ accounts and access privileges must be formally documented and appropriately approved.
6.3. Requests for special accounts and privileges (such as vendor accounts, application and service accounts, system administration accounts, shared / generic accounts, test accounts and remote access) must be formally documented and approved by the system owner.
6.4. Application and service accounts must only be used bloginsy application components requiring authentication; access to the passwords must be restricted to authorized IT administrators or application developers only.
6.5. Where possible, the company will set user accounts to automatically expire at a pre-set date. More specifically,
6.5.1. When temporary access is required, such access will be removed immediately after the user has completed the task for which the access was granted.
6.5.2. User accounts assigned to contractors will be set to expire according to the contract’s expiry date.
6.6. Access rights will be immediately disabled or removed when the user is terminated or ceases to have a legitimate reason to access LEGISTIFY SERVICES PRIVATE LIMITED systems.
6.7. A verification of the user’s identity must be performed by the IT Manager/System Administrator, Help Desk, or designate before granting a new password. This will applicable to only new joiner.
6.8. Existing user accounts and access rights will be reviewed at least annually to detect dormant accounts and accounts with excessive privileges. Examples of accounts with excessive privileges include:
6.8.1. An active account assigned to external contractors, vendors or employees that no longer work for the LEGISTIFY SERVICES PRIVATE LIMITED.
6.8.2. An active account with access rights for which the user’s role and responsibilities do not require access.
6.8.3. System administrative rights or permissions (including permissions to change the security settings or performance settings of a system) granted to a user who is not an administrator.
6.8.4. Unknown active accounts.
6.9. All access requests for system and application accounts and permissions will be documented using the ticketing system in place.
7. Guiding Principles – Privileged Accounts
7.1. An Individual privileged user account must be created for administrator accounts, instead of generic administrator account names.
7.2. Privileged user accounts can only be requested by managers or supervisors and must be appropriately approved.
8. Default User Accounts
8.1. Where possible, all default user accounts will be disabled or renamed. These accounts include “guest”, “temp”, “admin”, “Administrator”, and any other commonly known or used default accounts.
9. Contractors and Vendors
9.1. In relation to contractors, contracts with contractors / vendors will include specific requirements for the protection of data. In addition, contractor / vendor representatives will be required to sign a Non-disclosure Agreement (“NDA”) prior to obtaining approval to access LEGISTIFY SERVICES PRIVATE LIMITED systems and applications.
9.2. Prior to granting access rights to a contractor / vendor, the VP, IT or IT Help Desk must verify the requirements of Section 11.1 have been complied with.
9.3. The name of the contractor / vendor representative must be communicated to the IT Help Desk in advance before the person needs access.
9.4. LEGISTIFY SERVICES PRIVATE LIMITED will maintain a current list of external contractors or vendors having access to systems.
9.5. The need to terminate the access privileges of the contractor / vendor must be communicated to the IT Help Desk at least 1 business day before the contractor / vendor representative’s need for such access ends.
10. Access to Source Code Repository
10.1 Developers are given need based access to source codes for projects under LEGISTIFY SERVICES PRIVATE LIMITEDupdater and Application Architecture.
11. Access Control Requirements
11.1. All users must use a unique ID to access LEGISTIFY SERVICES PRIVATE LIMITEDsystems and applications. Passwords must be set in accordance with the Password Policy.
11.2. Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
11.3. Remote access to LEGISTIFY SERVICES PRIVATE LIMITED systems and applications must be through a password authentication where possible.
11.4. System and application sessions must automatically lock after 10 minutes of inactivity.
12. Roles and Responsibilities
Stakeholder | Responsibilities |
CISO | Review and Approve this Policy. |
IT Manager | Develop & Maintain this Policy. |
IT Manager | Take proactive steps to reinforce compliance of all stakeholders with this Policy. |
Human Resource | Present each new employee or contractor with the relevant IT Policies and Security Policies, upon the first day of commencing work with LEGISTIFY SERVICES PRIVATE LIMITED. Support all employees and students in the understanding of the requirements of this Policy. |
All Users (Employees and contractors) | Report all non-compliance instances with this policy (observed or suspected) to their respective Managers or IT department as soon as possible. |
13. Exceptions to the Policy
13.1. Exceptions to the guiding principles in this policy must be documented and formally approved by the Head, Information technology, LEGISTIFY SERVICES PRIVATE LIMITED.
Policy exceptions must describe:
13.1.1. The nature of the exception.
13.1.2. A reasonable explanation for why the policy exception is required.
13.1.3. Any risks created by the policy exception.
13.1.4. Evidence of approval.
Policy Revision History
Date | Version | Author | Reviewer | Approver | Comments |
10/09/2023 | 0.1 | ISMS Manager | CIO | LEGISTIFY SERVICES PRIVATE LIMITEDManagement | Draft Version of ACCESS CONTROL & USER ACCESS MANAGEMENT POLICY |