Document Classification: Internal

Information Security Management System

Standard Operating Procedure

Business ISMS Author

Security & Compliance Manager
Process User Access Control Process Owner

Document No. ISMS-SOP-No.10 Approved By Chief Information Officer

Revision No 1 2 3
16/01/19 22/01/19 02/10/19

The policy ensures that registration and de-registration of IT user accounts for access to IT
networks and systems is conducted in a secure and timely manner and includes the
Purpose
requirements for allocating user account privileges on a need-to-know basis, including when a
user changes their job role.

This policy applies to all IT user accounts allocated to permanent, temporary and contractor
Scope
staff, as well as third parties.
Wilson James IT shall enforce implementation of this policy.
It is the responsibility of the Process Owner to:
- Regularly review content to ensure document is current and up-to-date with current legal
Responsibility and best practice requirements
- Carry out a formal annual review of content to ensure compliance and suitability.
Information Security is the responsibility of every User and with your help and co-operation we
can all contribute to making Wilson James a safe and secure working environment.
Printed copies are uncontrolled
Document
It is the responsibility of the user to ensure that they are using the latest issue of this document
Control
and all referenced forms which are available in the WJ-IMS (Intranet).

IMS-SOP-No.2 Record Control identifies record keeping requirements for all documents used
Record Keeping
within this procedure.

Continuous Please send any process improvement suggestions to the Process Owner who will evaluate and
Improvement implement accordingly.

Associated
ISO27001: 2013
Standards

Revision 3 Document No: ISMS-SOP-No.10 Page 1 of 7

 Document Classification: Internal

Contents
Annual Review Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Document Change Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
ACCESS CONTROL POLICY...................................................................................................................................4
RESPONSIBILITIES..............................................................................................................................................4
UNIQUE USER ACCOUNTS AND NEED-TO-KNOW ACCESS RIGHTS AND PRIVILEGES.............................................4
NEW USERS........................................................................................................................................................5
STAFF LEAVER....................................................................................................................................................6
STAFF ROLE CHANGES/MOVERS.........................................................................................................................7
REGULAR REVIEWS OF ACCESS RIGHTS AND PRIVILEGES....................................................................................7
PASSWORD RELATED REQUIREMENTS...............................................................................................................7

Document Appendix Index

No. Title Document Control

Annual Document Review Record

Confirmed that all documents have been reviewed and are current and up to date
Name Signed Date
Reviewed By Author

Approved by Process Owner

Document Change Record

Date Revision No. Page/Step No. Reason for and Details of Change

16/01/19 1 ALL First issue of this ISMS SOP.

Document Classification: Internal added to all pages

22/01/19 2 ALL Author/Process Owner changed to Information Security &
compliance Manager.

02/10/19 3 ALL CIO replaced by ISMF

Revision 3 Document No: ISMS-SOP-No.10 Page 2 of 7

 Document Classification: Internal
Access Control Policy
Responsibilities
All Line Managers (in consultation with HR) are responsible for informing Wilson James IT as soon as possible of:
1. New staff requiring network and IT systems access;
2. Staff that are leaving and must no longer access the network and IT systems; and
3. Staff who require different access rights / privileges due to a change in their role.
The Head of IT shall undertake regular checks of all types of IT network and systems user account to ensure that
redundant accounts have been removed or disabled, and that existing access rights and privileges are
appropriate.

Unique User Accounts and Need-to-Know Access Rights and Privileges

Each user’s access privileges shall be authorised according to business needs. All privileges shall be assigned
based on job classification and function. Access control systems shall have a default ‘deny-all’ setting.
This includes the Development Environment which contains the source code and test data.
Every user shall use a unique user ID and a personal secret password for access to Wilson James’s IT network and
systems. The use of non-authenticated (e.g. no password) user IDs or user IDs not associated with a single
identified user are prohibited.
Shared or group user IDs are not permitted for user-level access. However, it is feasible that technology employed
by Wilson James does not always facilitate this requirement. In such cases, the Head of IT shall ensure that
appropriate compensating controls are in place which shall still allow Wilson James to audit and monitor
individual activities. Such exceptions to policy shall be approved by the Head of IT, and recorded.
Within 28 days of being allowed access to Wilson James’s IT network and systems, a ll users shall acknowledge
understanding of Wilson James’s information security policies by reading and signing Wilson James’:
 Information Security Policy
 Acceptable Use Policy
Failure to do so will result in access to the network and systems being suspended.
Where access has already been granted to Wilson James’s IT network and systems prior to this version of the
policy being issued, the policy shall apply retrospectively.
Users are enrolled on to the corporate Information Security Awareness training programme – failure to complete
course material may result in suspension or restriction of access to WH networks and systems

Revision 3 Document No: ISMS-SOP-No.10 Page 3 of 7

 Document Classification: Internal
New Users
The following steps shall be taken to register a new user for access to Wilson James’s network and IT systems.
Line Manager Responsibilities
Line Managers shall ensure that:
1. All new users have received induction training on the use of Wilson James’s network and IT systems. This
shall include an overview of information security policies, including information security and acceptable use
policy;
2. A formal communication (using approved Wilson James standards) is sent to the Wilson James IT to request
that a user be given access to the network and selected IT systems and applications, including the levels of
access required;
3. The following information is provided:
A. Person’s full name and employee reference number (ERN);
B. Description of the role and areas of the network and IT systems that the user is required to access to
perform their role;
C. Whether the user is a permanent employee, temporary employee, contractor or third party. For all
positions besides a permanent employee, the last date of employment is also required; and

Wilson James IT Responsibilities

Wilson James IT shall ensure that:
1. A unique network domain account is allocated to each new user;
2. The requested access privileges are granted, and that these are in line with the need-to-know principle, i.e.
each new user shall not be granted any other privileges than those required to perform their job role;
3. A formal communication (using approved Wilson James standards) is sent to the Line Manager who
requested the new user account and privileges, to confirm that the user account and access privileges have
been setup according to the request;
4. An up-to-date log of all access requests, and user accounts and privileges granted is maintained; and
5. Temporary users are removed as soon as the required access period has expired.

Revision 3 Document No: ISMS-SOP-No.10 Page 4 of 7

 Document Classification: Internal
Staff Leaver
The following steps shall be taken to remove / disable an existing user that no longer requires access to Wilson
James’s network and IT systems.
Line Manager Responsibilities
Line Managers shall ensure that:
1. When Wilson James staff are dismissed, resign or made redundant, the Line Manager shall, in consultation
with HR, assess whether the user’s continued access to Wilson James’s network and IT systems during the
notice period constitutes a security risk;
2. If continued access poses a risk, access to Wilson James’s network and IT systems shall be withdrawn with
immediate effect;
3. If the user does not pose a security risk, access shall be withdrawn on the last day of employment;
4. A formal communication (using approved Wilson James standards) is sent to the Wilson James IT to request
that a user’s access to Wilson James’s network and IT systems be disabled;
5. The following information is provided:
A. Person’s full name;
B. Date on which access shall be revoked; and
C. A list of all user accounts and access privileges that shall be revoked.
6. A formal communication (using approved Wilson James standards) is sent to the relevant office manager to
inform them that the staff member is leaving Wilson James, and to provide the leaving date, and details of
buildings, offices, rooms and facilities that the staff member has had access to, including details of any shared
keypad access codes or keys;
7. On the last day of employment, the Line Manager shall also ensure that all Wilson James property issued to
the employee is returned (e.g. laptop, Personal Digital Assistant (PDA), mobile phone, physical access
devices); and
8. If a user’s role changes or a user transfers to a new role within the company and access is no longer required
to specific systems, it is the ‘out-going’ line manager’s responsibility to ensure user access permissions are
changed accordingly.

Wilson James IT Responsibilities

Wilson James IT shall ensure that:
1. All relevant IT user accounts are removed / disabled, including all access privileges;
2. A formal communication (using approved Wilson James standards) is sent to the Line Manager who made the
request to confirm that the user’s accounts have been removed / disabled, including all access privileges; and
3. An up-to-date log is maintained of all de-registration requests, and revoked privileges.

Revision 3 Document No: ISMS-SOP-No.10 Page 5 of 7

 Document Classification: Internal
Staff Role Changes/Movers
When a staff member’s role changes within Wilson James, IT (and physical) access privileges shall be modified as
appropriate.
The following steps shall be taken to change the access rights to Wilson James’s network and IT systems.
Line Manager Responsibilities
Line Managers shall ensure that:
1. A formal communication (using approved Wilson James standards) is sent to the Wilson James IT to request
that a user’s access rights are changed;
2. The following information is provided:
a. Person’s full name;
b. Description of the user’s new role and the areas of the network and IT systems that the user requires
access to perform their new role;
c. Where appropriate, areas of the network and IT systems that the user no longer requires access to;
d. Whether it is a permanent or temporary change. For temporary changes, provide the last date that
access will be required.

Wilson James IT Responsibilities

Wilson James IT shall ensure that:
1. The requested access privileges are granted and removed / disabled, as appropriate;
2. A formal communication (using approved Wilson James standards) is sent to the Line Manager who
requested the change to confirm that the user’s access rights have been changed;
3. An up-to-date log is maintained of all access requests, and privileges granted and removed; and
4. Temporary access rights are removed after the required access period has expired (e.g. by using automatic
triggers within Microsoft Active Directory).

Regular Reviews of Access Rights and Privileges

The IT Manager shall ensure that regular reviews of access rights and privileges are undertaken. This shall apply
to all types of IT network, operating system, application and database user account to ensure that redundant
accounts have been removed or disabled, and that existing access rights and privileges are appropriate.
Information System Owners and Wilson James IT shall undertake quarterly checks to verify that user access rights
are being properly managed, and unnecessary rights shall be removed. Special access privileges (including ‘IT
administrator’ access) shall also be reviewed quarterly; these reviews shall also include the following:
1. Confirmation that adequate separation of duties is in place, especially for job roles with a high level of access
rights and privileges; and
2. Disablement of accounts that belong to existing staff after 60 days of inactivity.

Password Related Requirements

Policy on the secure use of passwords is documented within Wilson James’s Acceptable Use as well as Wilson
James’s Information Security Acceptable Use Policy. These policies apply for passwords used for all the different
types of network, operating system, application and database user accounts.
In addition, the following policy applies:
1. First time passwords granted by the Wilson James IT for new accounts and password resets shall be unique,
i.e. each password shall be randomly generated; and

Revision 3 Document No: ISMS-SOP-No.10 Page 6 of 7

 Document Classification: Internal
2. The Wilson James IT shall verify the identity of a user that requires a password reset, before undertaking the
password reset, e.g. by using an approved Wilson James standard method that involves formal
communications with the user’s Line Manager.

Revision 3 Document No: ISMS-SOP-No.10 Page 7 of 7