User Account Access control Policy

-

 

1. Overview

Company will establish specific requirements for protecting information and information systems against unauthorized access. Company will effectively communicate the need for information and information system access control.

2. Purpose

The purpose of this policy is to set a standard and require procedures for validating, managing and reviewing user access to information systems.

Information security is the protection of information against different action like accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Company which must be managed with care. All information has a value to the Company organization. However, not all of this information/data has an equal value or requires the security at same level of protection.

Access controls are put in place to protect information by controlling who has the rights to use different level of information resources and by guarding against unauthorized use of information and access of resources. Formal procedures must control how access to different information is granted and how such access is changed.

3. Scope

This policy applies to all Company Members, Committees, Departments, Partners, and Employees of the company (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the company with any form of access to Company’s information and information systems.

4. Definition

Access control rules and procedures are required to regulate who can access Company information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing Company information in any format, and on any device.

5. Policy

5.1 Types of account for access control

Account type

Provisioning of accounts and their privileges across Company systems and applications must conform to the following requirements.

Default Accounts (Accounts available predefined, e.g. Administrator and Guest)

Default accounts shall be disabled removed or renamed for all devices before assigned to user. Passwords for all renamed default accounts must be changed before access given and activation.

Service / Process Accounts

Service / Process account settings are defined in the System Configuration Policy and associated procedures.

Generic Accounts

Generic accounts which are disabled may be used as templates to create new accounts of various types as long as names and default passwords are changed in conformance with the Password Policy.

Privileged Accounts

Administrator and other privileged accounts shall be created only where needed to manage the system and proper documentation of which user has access of it need to be done. Procedure must be implemented to ensure separation of administrative duties and oversight.

Individual User Accounts

Each user account will be assigned to one and/or more roles based on the user’s resource access requirements. Procedures that define the roles for different users and maintain a record of different access rights granted to each user will be maintained along with the start to end date and administrator approving the role.

Temporary Accounts

From time to time temporary accounts will need to be created to allow work by short term contractors, guests or auditors. These shall be explicitly created using the role-based user access control method used for all the user individuals. Each account must have an expiration date on which access will be revoked. Temporary account users must meet workforce requirements for temporary workers as described in the Policy of Workforce.

External and Contractor Accounts

External users and contractors must meet the same standards as Temporary account holders. Where such this types of  users are permanently assigned to the Company organization, the user must meet all of the requirements for Company staff called for in the Workforce Security Policy.

5.2 Access Log Inspection

Use of accounts shall be monitored and Log cross check as specified in the Information System Monitoring Policy.

Users shall be notified about different action taken on account like when their accounts are created and modified or access rights are changed and notification will include the current Acceptable Use Policy.

 

5.3 De-Provisioning

User Accounts

User account access will be revoked within immediately or 1 day of a user’s departure. The account may be suspended or deleted as necessary. Notice to the account administrator must be initiated as part of the termination process.

Temporary Accounts

Temporary Accounts will be deactivated after the expiration date or the date of departure of the user, contractor or visitor, whichever occurs first. If no automatic expiration of temporary account is configured, a POC must be designated to ensure that access to facilities and data are revoked as required.

Account Audit

Each [MONTH/ QUARTER YEAR/] an audit of all types of accounts will be conducted to ensure that all active accounts are provisioned only to individuals authorized as above and all the accounts that should be deactivated or suspended are not active. The result of this account current status audit shall be reported to the security compliance repository.

 

 

Comments

Post a Comment

Popular posts from this blog

Set password by default when transfering data through xender hot spot network.

-
Image
We are going to explain how to transfer data securely through xender app. Whenever we turn on hot spot of xender then mobile hot spot network turned on through a xender which is by default open network. In this case if our data connection is on then any one can access our network and may they perform crime through network. So always keep your network password protected. How to Set password in xender when turned on hot spot through it 1.  Go to settings menu in xender app. 2.  Under the connect phone tab click on to set connection password. 3.  At that time it will ask password give password on pop up box. 4.  Done. Now check your hot spot network is now secure with password.
Read more

Place to visit in December month

-
 December is a delightful time to explore India, as the weather is generally cool and pleasant in most parts of the country. Here are some destinations to consider visiting in December: 1. **Goa**: December is peak tourist season in Goa, with mild temperatures and clear skies. Enjoy sun-kissed beaches, water sports, vibrant nightlife, and festivals like Sunburn Music Festival and Christmas celebrations. 2. **Rajasthan**: December is an excellent time to visit Rajasthan as the weather is cool and pleasant. Explore cities like Jaipur, Udaipur, Jodhpur, and Jaisalmer to experience the rich culture, majestic forts, and vibrant markets. 3. **Kerala**: December marks the beginning of the tourist season in Kerala as the weather becomes cooler and drier. Cruise along the backwaters, relax on pristine beaches, and explore hill stations like Munnar and Wayanad. 4. **Agra, Uttar Pradesh**: December offers pleasant weather for visiting the iconic Taj Mahal in Agra. Witness the ...
Read more

Browser cache weakness

-
    Browser cache weakness Severity: Medium Vulnerability description Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn’t need to be downloaded again. History mechanisms are used for user convenience, so the user can see exactly what they saw at the time when the resource was retrieved. If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser’s cache or by simply pressing the browser’s Back button. Impact Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries...
Read more