The objective of the User Access Management Procedure is to define the actors and processes to grant/revoke/modify users access rights, together with a method of reviewing and re-confirming the user’s list and specified permissions (profiles/ access rights) for all applications used within the Company.
User administration is a technical control that must be implemented to ensure information security and authorized access to systems is maintained. Identification is the mean by which a user provides a claimed identity to a system. Authentication is the mean by which this claim is validated. An identifier or user ID is usually a series of characters that are used to attempt log-in to a system. Until the user authenticates himself he will have no access to the system. The identifier is a mechanism to allow the user controlled access to various resources, files, directories, printers on the system. The identifier must be unique to the user so that he can be held accountable for any actions performed using that identifier. When the user changes his role, is transferred or promoted, then he should have his access rights changed to reflect his new role. When the user leaves the Company, his user identifier should be immediately removed from the system.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
4. RESPONSIBILITIES MATRIX / TASKS DETAILS
4.1 USER ACCOUNT CREATION, MODIFICATION AND DELETION/ DISABLING ACTIVITIES
4.2 THIRD PARTY ACCESS TO THE INFORMATION SYSTEMS
4.3 GENERIC AND PRIVILEGED USER ACCOUNTS
5. REVIEW ACTIVITIES – REVIEW OF USER ACCOUNTS AND USER ACCESS RIGHTS
7. FINAL CONSIDERATIONS
7.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
7.2 DOCUMENT REVISION
The purpose of this policy is to lay out the general rules that must be followed in designing and implementing company – wide managerial, operational and technical access controls, that prevent unauthorized access.
The objective of this policy is to define standards, procedures, and restrictions for end users who are connecting a personally-owned device to Company’s organization network for business purposes.