Identity and Access Management Standard describes the management of individuals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.
This standard documents the security requirements for identity and access management within the Company.
The objectives of the standard are to:
a. Provide a statement of intent describing how identity and access management will be carried out in accordance with the Information Security and other requirements
b. Describe any system functionality / parameters that are necessary to fulfil security requirements
This standard is intended to assist the Company in addressing risks related to management of identity and access including application and platform access. It’s audience consists of all IT security teams, contractors and outsourced service providers that are responsible for implementing and following this standard.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. IDENTITY AND ACCESS CONTROL REQUIREMENTS
3.1 LOGICAL ACCESS PROCESS
3.2 LOGICAL ACCESS ADMINISTRATION
3.3 LEAST PRIVILEGE
3.4 REVIEW OF PERMISSIONS
3.5 PRIVILEGED ACCOUNTS
3.7 IDENTIFICATION AND AUTHENTICATION
3.8 SIGN-ON PROCESS
3.10 PASSWORDS AND PINS
3.11 MONITORING AND LOGGING
3.13 USER AWARENESS
5. FINAL CONSIDERATIONS
5.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
5.2 DOCUMENT REVISION
The objective of the Cryptographic Controls Standard is to outline the minimum information security controls which must be applied when cryptographic services and solutions are utilized by the Company. Specifically, this Standard focuses on key management requirements, acceptable algorithms, appropriate key lengths, and raises pertinent regulatory considerations relating to the use of cryptography.
The objective of this policy is to set the framework and regulations for controlling the logical access of users (employees and third-parties) to the Company information systems.