Hire Now
Log In

Access Management Policy

Overview

1. Purpose

The objectives of this procedure are:

  •  Restrict access to Edge Services and Solutions LLC (herein after called the ‘Company’) and all its subsidiaries’ information assets in accordance with business requirements.
  •  Prevent unauthorized access to information systems.
  •  Ensure information access controls are implemented to meet any relevant contractual requirements.

2. Scope and Applicability

The scope involves all information systems of ‘Company and all its subsidiaries’.

This policy is applicable to functions/ departments/ employees/ and third-party contractors using or having access to Company information and information assets.

3. User Access Management

User account creation and deletion

  • User account creation: HR should raise request for any employee user account creation through mail or ITSM tool (JIRA). Based on the request IT Team should create the user account.
  • IT-System and Application user account creation: Line Manager should raise / approve request for his/her team members’ user account creation through mail or ITSM. Based on the request and appropriate approval, IT Team should create the user account based on their job role.
  • Temporary user account shall be created for third-party contractors / consultants / vendors, department manager should raise / approve the request to IT Manager. Based on the request IT Manager should create the user account basis their job role.
  • Temporary ID shall be created with a unique identifier to distinguish from internal Employee ID.
  • All the temporary user IDs shall be created with end date. The maximum validity of temporary ID should be 6 months from date of creation.
  • The level of access granted to each user should be based on business requirements only.
  • During employee termination, respective function head / line manager should inform the HR function. HR team sends the notification to IT Team. The IT Team should deactivate user account [disable the account and assigned licenses shall be revoked for the respective user account] of the employee on or before effective termination date.
  • The disabled user account shall be retained for a period of 90 days to retrieve any of the project related data from the respective Resources. After 90 days the user ID shall be deleted.
  • Authorization records for all the access registration shall be maintained for audit purpose.
  • IT Manager should be responsible for user account lifecycle management (including creation, modification, and deletion.

User Access Provisioning

  • Users (Employees, third-party contractors / consultants / vendors) require logical access to Company information systems should follow the approval process. Approval sought through email / in ITMS from Team Head as well as IT Manager.
  • The approval should be granted after analyzing the requested access rights are appropriate to the job role.
  • Users (Employees, third-party contractors / consultants / vendors) require remote access to Company information systems should follow the remote working approval process. Approval sought through hardcopy / email from Human Resources Director.
  • Generic ID shall not be provisioned unless it is explicitly approved by department head and Cyber Security Head. Details of users who have been granted the right to use this ID shall be documented and review periodically by IT.
  • For contract employees and vendors, user account should be created with expiration date where feasible in accordance with contract duration, else care should be taken by the system administrator to disable the account at the end of contract. For extension of user account validity beyond the end date of contract, explicit approval is required from department head and Cyber Security Head.

Management of Privileged Access Right

  • System administrators, IT – network administrators, application administrators along with the Cyber Security Head should identify all the privileges associated with all operating systems, business applications, databases and network elements used within Company.
  • Privileges are granted to users on two occasions. One is during the creation of user accounts and when a user requests for additional privileges due to changes in job function or changes in responsibilities.
  • Users’ assigned high privileges for special purposes should be required to use a different user identity for normal business use.

Management of Secret Authentication Information of Users

  • All newly created user IDs should be assigned a temporary password which is to be changed immediately upon first logon.
  • Any user requesting a change in password or account reset should be duly verified.
  • The exchange of temporary passwords should be over a secure mediums where records are automatically deleted after a set time interval or after first retrieval
  • Default vendor passwords should be changed following the installation of any new system or software.

Review of User Access Rights

  • All user access rights should be reviewed at least annually.
  • OS (Operating System) level, Application level privileged and DB (Database) level privileged user account review should be performed on a quarterly basis.
  • Necessary actions should be performed in case of any ambiguity found during the review

Removal or Adjustment of Access Rights

  •  Any modifications for existing user access rights should be approved by the Department Head / Line Manager and communicated to the system administrators / application owner / IT for implementation.
  • The access rights of all employees, contract employees and service providers to information and information processing facilities should be removed on termination of their employment / contract / agreement or modified for any change in their designation / status.
  •  IT and HR shall also coordinate with client/customer for removal of accounts for terminated/removed users in client/customer application systems

 

4. Information System Access Control

Information Access Restriction

  • Access to information and application systems should be on “need-to-know” basis.
  • System administrator or the person performing the equivalent role should maintain the updated access control matrix with privileges assigned to the users.

Secure Log-on Procedures

The operating systems of servers, workstations and/ or network devices should be controlled through a secure log-on like:

 

  • System or application identifiers should not be displayed until the log-on process has been successfully completed.
  • A general notice shall be displayed stating, “The computer/ network element should only be accessed by authorized users”.
  • Not provide help messages during the log-on procedure that would aid an unauthorized user.
  • Not display the password being entered.
  • Not transmit passwords in clear text over a network.
  • Display date and time of the previous successful log-on and details of any unsuccessful log- on attempts.
  • Default accounts must be renamed, wherever possible or deleted wherever applicable.

Access to Networks and Network Services

Apply the following controls for user access to networks and network services: –

  • Virtual Private Cloud (VPC: is a secure, isolated private cloud hosted within a public cloud) shall be enabled with two-factor authentication. While connected through VPC to the Company core network, connection to other networks shall be restricted as necessary.
  • Enforce controls to ensure limited user access to information and network services;
  • Provide users access only to the services that they are specifically authorized to use;
  • Develop and implement authorization process to ensure that only users who are allowed can access the network segments and services;
  • Apply appropriate authentication mechanisms for users and information system
  • Ensure that access rights of all users who have changed roles/jobs are revoked immediately;
  • Ensure that User ID of all users who have left Company are disabled immediately;
  • User ID which is inactive for more than 90 days should be deactivated. Last login date should be considered to determine the period of inactivity;
  • Requests for group accounts, password sharing, or other authorization mechanisms should be approved by a relevant authority after considering business justification.

Password Management System

  • Password parameters in operating system, applications, databases and network equipment should be configured as per password management policy.
  • Password managers should be utilized to store any credentials in a secure manner
  • Wherever password policies cannot be configured due to certain limitations, the exception should be documented and authorized by the Cyber Security Head.

Use of Privileged Utility Programs

  • Any use of utility programs that could override the system and application controls should be restricted and controlled. Only utilities authorized for the remote management of the servers, workstations and network devices should be used.
  • It should be ensured that vendor/ supplier default utilities are disabled during new server or network device commissioning.
  • If for troubleshooting purpose there is a need to use utility programs, administrators of the servers and network devices should ensure that such utilities are enabled only after approval from information security head and are disabled immediately after use.

Systems Hardening

  • Access to information and computer systems must be provided with least privileges required by the users. IT administrators should only have administrative access to any information and computer system.
  • All information and computer systems must have Endpoint Detection and Response solution installed and configured to standard profile.
  • External media (USBs, etc) access should be restricted from the information and computer systems. Exception may only be provided with documented approval from team lead, IT Director and Cyber Security Head.
  • All company equipment with media should be configured to encrypt at rest particularly as:
  • Windows systems are configured with bitlocker on all drives
  • MacOS based systems are configured with FileValut for complete disk encryption

Access Control to Program Source Code

  • Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) should be strictly controlled, in order to prevent the risk of unauthorized access, introduction of unauthorized functionality and unintentional changes.
  • Adequate access control procedures should be established to authorize access, storage, copy and maintain the source codes.

5. Reference

Refer to the link provided for the detailed Information Security Policy: