IT - Access Control

Policy
REVISION HISTORY
Version Author Date of Sections Affected
Number Revision
1 XXXX All

AUTHORIZATION
Prepared by Date

Reviewed By

Approved By
1
 Table of Contents:

1. SCOPE ...................................................................................................................... 3

2. POLICY STATEMENT .......................................................................................... 3

2.1 USER ACCOUNT MANAGEMENT ..................................................................... 4

2.2 PRIVILEGE MANAGEMENT .............................................................................. 4

2.3 PASSWORD MANAGEMENT .............................................................................. 4

2.4 OPERATING SYSTEM, APPLICATIONS & DATABASES ............................ 5

2.5 MONITORING ACCESS AND USAGE ............................................................... 6

2.6 MOBILE COMPUTING ......................................................................................... 6

3. COMPLIANCE WITH THE POLICY.................................................................. 7

4. VIOLATION OF THE POLICY ............................................................................ 7

4.1. CONSEQUENCES OF VIOLATION OF THE POLICY .................................. 7

5. CONTACT ROLE FOR CLARIFICATIONS REGARDING THE POLICY .. 7

2
1. Scope
This policy applies to all users of information assets including Company employees, employees
of temporary employment agencies, vendors, business partners, and contractor personnel and
functional units regardless of geographic location.

2. Policy Statement
The purpose of this policy is to ensure that there is an appropriate level of protection for
COMPANYs information assets and to ensure the integrity, availability and confidentiality of
COMPANYs information assets.

3
2.1 User Account Management
All users must be granted access to the information systems through a unique user
account. They must not have multiple accounts within the same computing
environment.
User credentials required for access to various information systems must consist of
a user ID and password or other credential (such as token) that is unique to an
individual.
Common user IDs must not be used unless they are absolutely essential. Common
user IDs must not be issued to multiple users when it is technically and functionally
feasible to provide individual user IDs. In situations where a common user ID is
required, authorizations must be obtained from appropriate authorities before
providing access.
Users must not be allowed to log on to Business Applications simultaneously from
two or more different terminals/node.
User accounts that are inactive for more than 30 days must be disabled.
In case a user is going on leave for a period of more than 30 days, he must inform
appropriate authorities to temporarily deactivate the user account, during the period
of his absence.
Default user accounts shipped with software and hardware must be disabled.
For contract employees and consultants, a user account having expiration date,
which coincides with the conclusion of the contracted project, shall be created after
getting approval from the appropriate authorities.
Five successive failures must result in a user account being locked; they must not be
able to login until their account is unlocked and the password is reset.
The terminals must be set to get locked out after 15 minutes of inactivity.
User credentials must be removed and access privileges must be revoked on the day
the employee leaves (by Resignation, Involuntary, or Termination) the organization.
User accounts on various information systems must be reviewed on a monthly basis
to ensure that accounts that are not necessary do not remain in the system.

2.2 Privilege Management

Privileges associated with each type of Operating System, Business Applications,
Databases and Network Elements must be identified and documented.
Minimum privileges required for every job function and role must be identified
based on discussions with the functional teams.
Privileges must be allocated to individuals based on the requirements of their job
function and role, on authorization from appropriate personnel. Additional privileges
more than what is required for the job function must be allowed only after getting
approval from appropriate personnel.
Privileges allocated must be periodically reviewed and any exceptions must be
addressed at the earliest.

2.3 Password Management

User Password Management:

All User passwords (Individual as well as Administrator) must remain confidential

and must not be shared, posted or otherwise divulged in any manner.

4
 Passwords must consist of at least eight characters. The passwords selected must be
a combination of alphanumeric characters along with special characters wherever
the system supports.
An initial password shall be provided to the users during the user creation process
and the system shall be configured to force the users to change the initial password
immediately after the first logon.
Passwords shall expire after 30 days. The user shall be reminded by the system to
change the password prior to that. Minimum password age shall be kept as 2 days.
Password history of 5 shall be maintained.
The users shall be provided with the capability to change their password on the login
interface (after authentication).
The user-ID and password must be authenticated as a whole. Authentication failure
must provide an error message to the user that does not indicate whether the user ID
or the password is incorrect (e.g. "incorrect login" and not "incorrect User name/
Password").
Appropriate procedures shall be put in place for storing and management of
administrative passwords for critical information systems. Passwords must be kept
in a sealed envelope and must be stored and managed securely.
Due to system limitations or business necessity if any of the password policy cannot
be followed, specific mechanisms must be put in place to mitigate the risk of not
following the password policy.

Administrator Password management:

Administrative passwords are subject to stringent composition, frequent change, and

limited access. This includes passwords for routers, switches, WAN links, firewalls,
servers, Internet connections, administrative-level network operating system
accounts, and any other IT resource.

Passwords for administrative resources must meet the following criteria:
Password is at least 10 characters long.
Password contains mixed case.
Password contains at least three non-alphanumeric characters.
Password contains at least two numbers.

2.4 Operating System, Applications & Databases

Minimum Baseline Security Standards (MBSS) for all Operating Systems and
applications must be developed and maintained. All installations of the operating
systems and applications must be configured as per the MBSS.
Log-on process to Operating System, Application and Database must:
Display a legal caption, warning the users that the computer must only be
accessed by authorized users;

5
 Not provide help messages during the log-on procedure that would aid an
unauthorized user;
Validate the log-on information only on completion of all input data. If an error
condition arises, the system must not indicate which part of the data is correct or
incorrect;
Where supported by the system, date and time of the previous successful log-on and
details of any unsuccessful log-on attempts since the last successful log-on shall be
displayed on completion of a successful log-on;
Wherever applicable, access to various system utilities must be controlled to ensure
that the users do not obtain more information than what they require to perform their
job function.
Wherever technically feasible, Operating Systems, Applications, Databases and
Terminals/servers must timeout and clear the screen automatically if the terminal is
inactive for more than 15 minutes.
Sensitive applications must be identified and isolated from normal computing
environment.
No employee must have direct access to the database of the application system.

2.5 Monitoring Access and Usage

All user activities must be logged by the Operating Systems, Applications,

Databases and Network Elements. In case, logging degrades the performance of the
systems, restrictive logging and monitoring of critical commands can be configured
after obtaining the approval of Head IT.
Audit trails from Operating Systems, Databases, Applications and Network
Elements must be monitored periodically by operations personnel and reviewed by
IT personnel.
A system shall be put in place to ensure that all the servers, network equipment and
desktops are synchronized to have the same time.
Access to audit trails both in electronic and hard copy form must be limited on a
need-to-know basis. System platforms must have access controls enabled for audit
trails so as to restrict create, write, or modification of audit trails.
All files comprising of audit trails must be archived periodically to ensure that events
can be resurrected, in the event of a security incident.

2.6 Mobile Computing

COMPANY should ensure that mobile computing devices that are used to connect
to COMPANYs network do so in a secure manner and do not compromise the
integrity, confidentiality or the availability of COMPANY information in anyway.
COMPANY information stored in the mobile computing devices should be
protected by applying appropriate access control procedures
Only COMPANY approved mobile computing devices may be used to access its
information systems.
Mobile computing devices shall be protected by passwords as per the Password

6
 Management Policies (Refer 4.3)
Antivirus shall be updated on all mobile computing devices
Non-COMPANY mobile computing devices that require network connectivity shall
require prior approval of Head IT.
Unattended mobile computing devices must be physically secure. This means they
must be locked in an office, locked in a desk drawer or filing cabinet, or attached to
a desk or cabinet via a cable lock system.
Users shall carry the mobile computing devices as hand baggage during travel.

3. Compliance with the Policy

Compliance with this policy is mandatory. COMPANY Department Heads shall ensure continuous
monitoring within their departments. Compliance with this policy shall be a matter for periodic
review by Head IT.

4. Violation of the Policy

Any employee who discovers a breach of this policy shall notify the Head IT. Violations of the
policies of COMPANY shall result in disciplinary action by management.

4.1. Consequences of violation of the Policy

Disciplinary action shall be consistent with the severity of the incident, as determined by an
investigation, and may include, but not be limited to:

Loss of access privileges to information assets, and

Other actions as deemed appropriate by Management, Human Resources, and
the Legal Department.

5. Contact role for clarifications regarding the Policy

The sponsor of this policy is the Head IT. The Head IT is responsible for maintenance and
accuracy of the policy.

7
8