it-07 granting, revoking, changing and reviewing user access
TRANSCRIPT
DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:
IT-07 0 1-August-2009 1 of 3 Hong Chan Chuen Lim Hock Chee
GRANTING, REVOKING, CHANGING and REVIEWING USER ACCESS
1.0 PURPOSE:
1.1 To establish and maintain a procedure defining the process of establishing, revoking, and changing User access to Company information systems.
2.0 SCOPE:
2.1 Establish and maintain a procedure defining a regular scheduled review of all system access.
3.0 REFERENCES:
3.1 IT-01 (Company Electronic Data Policy)
3.2 IT-02 (IT Password Standards)
3.3 IT-03 (System Administrator Policy)
4.0 DEFINITIONS:
4.1 IT – Information Technology
5.0 EXHIBITS:
5.1 None
6.0 RESPONSIBILITIES:
6.1 Corporate IT Group- Ensuring that IT develops and implements appropriate policies, practices and
procedures on a company wide basis.- Ensuring that regional IT management implements and ensures compliance to this
policy and all related practices and procedures.- Ensuring that the policy, practices and procedures are maintained.
6.2 IT Management- Ensuring all staff in their area of responsibility is familiar with and complies with
all policies practices and procedures.- Authorizes all security requests for System Administration type access.- Ensuring that local procedures in support of the corporate policy are maintained.
6.3 Department Managers2-MAY-23
DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:
IT-07 0 1-August-2009 2 of 3 Hong Chan Chuen Lim Hock Chee
- Liaise with Human Resources to define security requirements for all staff members.- Notify HR and IT of all new hires, terminations, and job function changes in a
timely manner.
6.4 Human Resources- Notifying IT Security Administrator of all requests for access to Company
information systems, or changes to existing access.- Notifying IT Security Administrator of all employees leaving the Company of a
timely basis. This is to include Maternity leave, Short/Long term disability, layoffs, etc.
6.5 IT Employees Responsible for Security Administration (Infrastructure & Application)- Creating, changing and revoking user access on a timely basis- Gaining approval for all Security requests from the designated data/system owners.- Maintaining a log of all security requests.- Conducting a scheduled yearly review of all system access by providing the
designated data/ system owners with a system access report for their review.- Conducting a review of all system/application access after any major Company
changes/realignments.- Conducting a review of all system access after any new system installs or major
upgrades by providing the designated data/system owner with a system access report for their review.
6.6 Business/Data Owners- Documenting system segregation of duty access rules- Approving security access requests- Participate as required by the IT Department in the scheduled reviews of system
access rights granted to the system users.
7.0 PROCEDURE:
7.1 Access to Company information systems will be assigned with only the rights required to do individual job functions.
7.2 Access will be assigned in accordance with documented segregation of duty rules approved by the data / system owners.
7.3 Generic accounts or so-called ‘group logons’ are not permitted, as these could potentially allow several users to access IT resources without any clear individual accountability. Access must only be provided on an individual basis, with each user account being unique to a named person with only sufficient access to do what they need to do in the normal course of their duties.
7.4 It is recognized that certain users (e.g., System Administrators) may have the ability to access data contained in a system without being an authorized user of the system itself.
2-MAY-23
DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:
IT-07 0 1-August-2009 3 of 3 Hong Chan Chuen Lim Hock Chee
Special care must be taken in these cases, as outlined in IT-03 System Administrator Policy.
7.5 IT staff that have specific security administration responsibilities must have specific and appropriate training required to perform their role.
8.0 PROCESS:
8.1 Human Resources working with Department Managers will notify the IT department via email of all requests for access to Company information systems. This is to include all employee job changes, i.e., movements to other departments or divisions, job responsibility changes, maternity leave, layoffs, etc. IT must be informed via email of all employees leaving the Company.
8.2 Data Owners will be solicited for approval for all access to Application data. IT will maintain an approval matrix outlining exact data ownership.
8.3 Information Security Administrators will add/change/revoke all user access to Company information systems on a timely and accurate manner.
8.4 Human Resources, Data Owners, and Information Security Administrators will all participate in regular scheduled reviews of all system and application access rights that have been granted. These reviews will be logged for audit purposes.
9.0 REVISION HISTORY:
Rev # Sec./PageNo Name Change
Date Changes
0 - Hong Chan Chuen 6-July-09 New
2-MAY-23