ISMS Policies

  1. Home
  2. ISMS Policy
  3. User Access and Privilege Management Policy

User Access and Privilege Management Policy

1. Objective

To control and regulate access to Integra IT systems, to monitor and manage to ensure the security of systems and data.

2. Scope

This is applicable to all systems owned, managed and operated by Integra, and all staff and users including administrator of these systems.

3. Reference

Standards: ISO 27001:2022 Information Security Management System

Controls: A 5.16, A 5.18, A 5.17, A 8.2 , A 8.18

Definition

Integra is committed in implementing a comprehensive user access and privilege management program. This responsibility is delegated to the following groups and individuals.

4. General Principles

5.1 System Administration

The system administration is responsible for:

  • Ensuring account creation and management performed in accordance with this policy.
  • Managing user access to system and user privileges in compliance with the policy
  • Attempts and actual breaches of system access and privileges are monitored and reported.
  • Periodic review of user access rights and privileges for key applications and systems
  • Periodic verification of system monitoring controls and processes
  • Day to day management of logical access
  • Reporting of detected incidents to ISMG

Process to follow before handing over Laptops:

  1. Register the device super administrator with itsupport@globalintegra.net
  2. Install antivirus
  3. Create a new user with standard access and register a new Microsoft account for the user with their official email ids.
  4. Update the antivirus
  5. Install VPN and connectivity to all the users.

5.2 Information Security Management Group(ISMG)

The ISMG is responsible for:

  • Handling incidents raised by systems administration.
  • Periodically auditing systems to confirm appropriate access.
  • Investigating non-compliances and taking appropriate action as required.

5.3 User

The users are responsible for:

  • Utilizing access as allocated.
  • Requesting access to be removed when no longer required.

5.4 User Access and Privilege Management

5.4.1 Privilege Management

System access, application access and associated privileges must be restricted and only provided to users with a legitimate business need via an approved formal authorization process.

The authorization process for privilege allocation must record all access provided and the relevant authorizer. Privileges must only be granted once the appropriate authorization has been granted. Privileges should be allocated to users based upon their role-based requirements on a system by system basis.

Request for system access, privilege allocation should be placed through written communication via emails, by department head to IT.

System administrative privilege or other escalated privileges, not required for routine business use, should be allocated to a separate but still individual user profile, to be used for escalated privilege functions only.

5.4.2 Application Access Control

Access to applications and the level of privilege within applications must be strictly controlled to protect the confidentiality, integrity, and availability of the application and its data.

Application systems must ensure that users cannot surpass system controls by utilizing the application system or its related information and gain access to data or systems to which they have not been provided authorized access.

Application systems should provide granular access for users to ensure the principle of least privilege is maintained - users only can access those items that they have a need to access.

Application documentation should be targeted for the type of user accessing the system and should avoid providing un-required information.

Applications have a default session time out of 30 min set to ensure that user has to re-login in the event that the system is left unattended for the said time duration.

Highly sensitive systems may need to be isolated from the standard network. Such investigations should be performed by system administrator in periodic intervals.

5.4.3 Administrative Access Accounts

Administrative access privileges must not be granted to standard user accounts; instead a separate account should be used for administrative privileges.

Generally, there should not be more than two people with administrative access to a system.

5.4.4 Remote Users

The “Work from Home” (WFH) users will have to make sure that they are not connecting company devices to unsecured network. All these users must follow the Password Policy and Acceptable Asset Usage Policy.

5.4.5 Password Controls

Password controls must be managed in accordance with the Password policy for Integra.

5.4.6 Monitoring of System Access and Use

Monitoring of System access and use must be managed in accordance with the systems management policy.

5.4.7 Review of User Access Rights

User access rights must be reviewed once in a month on a regular basis. Privileged system and application access must be reviewed once in month on a regular basis.

Any access no longer required must be removed. Request for access and privilege removal should be placed through written communication via emails, by department head to IT.

5.4.8 Use of System Utilities

Only system administrator is permitted to use system utilities that are capable of overriding system and application controls.