DATA ACCESS AND USER AUTHENTICATION STANDARD

POLICY

DOCUMENT HISTORY

Version Date Authors Notes

REQUIRED REVIEW AND RECOMMENDATION

Name Title Reviewed

(Insert Name) (Insert Title) (Insert Date)

PURPOSE

The purpose of this access management policy is to ensure that access to all Company X systems and
applications is properly approved and monitored.

USING THE STANDARD

All Company X information security policies will be created, maintained and reviewed in accordance with the
enterprise information security policy.

SCOPE

Access to Company X’s system environment must be properly approved and monitored to provide the highest
levels of confidentiality, availability and integrity. This standard provides overall guidance for the consistent
granting, monitoring and removal of user access to Company X’s system environment.

ACCESS MANAGEMENT

USER ACCESS ROLES AND RESPONSIBILITIES

Roles and responsibilities for access management are defined as follows:
• Authorized Approver: Each system, application or database will have authorized approvers who are
responsible for ensuring that appropriate access is granted to the system.

1 Source: www.knowledgeleader.com
 − The list of approvers will be documented.
− Each approver will be appropriate senior management who has direct ownership of the system and/or data.
− In the case of multiple approvers, approval authority should be well-defined as it relates to each approver's
level of authority over the system, application or database.
− When an employee is terminated and leaves the company, the employee’s manager is responsible for
completing a termination/resignation form and submitting it to the help desk. The help desk will then disable
the active directory account based on the termination/resignation form.

APPROVAL REQUIREMENTS
• All access must be approved, in writing or email, by an authorized approver (Insert Title) prior to access being
granted to the system or information. This approval must be on the computer equipment and new-hire order
form, which specifies the user's required privileges.
• Access approval documentation must be retained (data retention policy) by user account administrators.

REVIEW REQUIREMENTS
• Access to each system, application or database must be reviewed quarterly.
• An access list must be generated from the system for review by the owners of critical network systems.
• The access list must contain the following information:
− Username
− Unique Identifier (i.e., network ID)
− User ID
− Access Level
• Review documentation must be retained by the owners.

REMOVAL REQUIREMENTS
• The employee’s manager must immediately notify the help desk of employee terminations and job transfers
and submit a termination/resignation form. Once accounts are terminated in the PeopleSoft HR application, the
account is inactivated within 24 hours.
• Access to each system, application or database must be disabled immediately.
− Weekly audit reports comparing Active Directory and Unix employees with PeopleSoft employee records
are emailed to the help desk. The help desk reviews the reports and requests removal of all unmatched
nonsystem accounts from the employee’s manager.
• User accounts that have not been used in 90 days must be disabled.

USER ID REQUIREMENTS
• User IDs must be unique and assigned to a specific individual.
• Generic user IDs must not be created or used based on job function.
• Direct access to systems using the system-level password must be disabled and another similar login program
that enforces individual accountability must be used (e.g., sudo).
• Default and generic administrative accounts must be disabled.
• User IDs must not be able to establish more than one concurrent connection.
• User IDs assigned to vendors for maintenance purposes must only be activated as needed and have an
automatic expiration of seven days.
• User IDs granted to contractors, consultants and/or temporary employees must automatically expire six
months after initiation and be renewed for each six-month period thereafter.
• Inactive user IDs will be revoked after 30 days.

2 Source: www.knowledgeleader.com
ACCESS ASSIGNMENT REQUIREMENTS
Some systems only have administrator and/or read access; however, when multiple access requirements and
functionality exist in a system, application or database, the following standards should apply:
• Users are not granted functionality based on a copy of another user ID with similar job responsibilities.
• Access must be granted using approved and established role-based security.
• Roles and their system functionality are well-defined and documented.
• Changes to access roles must follow the previously discussed approval requirements.
• Segregation of duties incompatibilities are documented for each system and are confirmed before roles are
assigned to individual user IDs.
• Assignment of access must correlate directly to approval documentation.
• All user accounts must be established with a randomly generated strong password.
• All user accounts must be established with settings to force a password change during the first-time login if the
application has this functionality.
• User accounts assigned to vendors for support must remain disabled until required for use. These accounts
must also be monitored when in use to assure validly authorized activity.

3 Source: www.knowledgeleader.com