Identity and Access Management Standard describes the management of individuals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.
This standard documents the security requirements for identity and access management within the Company.
The objectives of the standard are to:
a. Provide a statement of intent describing how identity and access management will be carried out in accordance with the Information Security and other requirements
b. Describe any system functionality / parameters that are necessary to fulfil security requirements
This standard is intended to assist the Company in addressing risks related to management of identity and access including application and platform access. It’s audience consists of all IT security teams, contractors and outsourced service providers that are responsible for implementing and following this standard.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. IDENTITY AND ACCESS CONTROL REQUIREMENTS
3.1 LOGICAL ACCESS PROCESS
3.2 LOGICAL ACCESS ADMINISTRATION
3.3 LEAST PRIVILEGE
3.4 REVIEW OF PERMISSIONS
3.5 PRIVILEGED ACCOUNTS
3.7 IDENTIFICATION AND AUTHENTICATION
3.8 SIGN-ON PROCESS
3.10 PASSWORDS AND PINS
3.11 MONITORING AND LOGGING
3.13 USER AWARENESS
5. FINAL CONSIDERATIONS
5.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
5.2 DOCUMENT REVISION
The Compliance and Auditing Policy defines the approach to be taken to ensure the Company is compliant with legal, statutory, regulatory and contractual obligations related to information security and of ant security requirements, standards and internal policies, guidelines and processes mandated by the Company.
The objective of this policy is to set the framework and regulations for controlling the logical access of users (employees and third-parties) to the Company information systems.