The objective of the User Account Management Procedure is to design a generic, maintainable solution for the whole community of system and service managers.
User accounts offer a way of managing access, providing user accountability and tracking their use of information, information systems and resources. User accounts can take various forms from a system login to an ID access card. Therefore the application of access controls, the management of user accounts and the monitoring of their use plays an extremely important part in the overall security of information resources.
This procedure has been designed to describe the process of creating, modifying or deleting privileged user accounts from the Company business system.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3.1 GENERAL TERMS
3.2 ADMINISTRATION OF PRIVILEGED USER ACCOUNTS AND THEIR ACCESS RIGHT
4. ROLES AND RESPONSIBILITIES
4.1 IT DIRECTOR
4.2 SYSTEM ADMINISTRATORS
4.3 INFORMATION SECURITY TEAM
4.4 EMPLOYEE WITH PRIVILEGED USER ACCOUNTS
6. FINAL CONSIDERATIONS
6.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
6.2 DOCUMENT REVISION
7. APPENDIX 1 – EXAMPLES OF PRIVILEGED ACCESS ACTIONS
The Access Control System Security Standard specifies the requirements with respect to the "need-to-know / need to have" principle, segregation of duties, user account management, access management, logging and access specific system configuration requirements.
The Remote Access Procedure was developed by the Company in order to define a common minimum baseline level of security for the provision of access to the Company’s systems from external locations which are not under the control of the Company.