ACCESS CONTROL POLICY

Version 1.0

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 1

Document Control

S. No. Type of Information Document Data

1. Title Access Control Policy

2. Date of Release 1 October 2018

3. Document No. COMPPORT/IT/ACP/2018/003

4 Document Version No. V 1.0

5 Document Owner CISO

6 Document Author(s) CISO

7. Document Reviewer/Approver Founder & Managing Partner

Document Update Summary

Version
Revision Date Nature of Change Date Approved
No.

V 1.0

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 2

Table of Contents
1. ACCESS CONTROL POLICY ....................................................................................................... 3
1.1 RESPONSIBILITY ........................................................................................................................ 3
1.2 DEFINITIONS ............................................................................................................................. 3
1.3 OBJECTIVE ................................................................................................................................. 3
1.4 USER ACCESS MANAGEMENT................................................................................................... 3
1.4.1 User Registration and de-registration................................................................................. 3
1.4.2 Privilege Access Rights Management ................................................................................. 4
1.4.3 Password Management ...................................................................................................... 4
1.4.4 Management of Secret Authentication information of users ............................................. 5
1.4.5 Review of User access rights ............................................................................................... 5
1.4.6 Removal or adjustment of access rights ............................................................................. 5
1.5 USER RESPONSIBILITIES FOR ACCESS MANAGEMENT ............................................................. 5
1.5.1 Clear Desk and Clear Screen ................................................................................................ 6
1.5.2 Password Use ...................................................................................................................... 6
1.5.3 Unattended User Equipment............................................................................................... 6
1.6 NETWORK ACCESS CONTROL ................................................................................................... 6
1.6.1 Remote Access .................................................................................................................... 6
1.6.2 Equipment Identification in Network .................................................................................. 7
1.6.3 Network Routing ................................................................................................................. 7
1.7 OPERATING SYSTEM ACCESS CONTROL ................................................................................... 7
1.7.1 Secure log-on procedure ..................................................................................................... 7
1.7.2 User Identification and Authentication ............................................................................... 8
1.7.3 Use of privileged system Utilities ........................................................................................ 8
1.7.4 Session Time-out ................................................................................................................. 9
1.8 SYSTEM AND APPLICATION ACCESS CONTROL ........................................................................ 9
1.9 REFERENCE ................................................................................................................................ 9
• ISMS 27001:2013: Annexure A .................................................................................................. 9

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 3

1. Access Control Policy

The Access Control Policy defines the controls that must be implemented and maintained in order to protect
information assets against unauthorized access that might pose substantial risk to the organization. The policy
intends to establish adequate controls for user-access management, network access, operating system, database
and application access within Compport IT Solution. This policy shall also be applicable to third party Service Provider
which have such accesses or can provide such access rights to other users.
1.1 Responsibility
It is the responsibility of the Functional SPOCs/HODs (Department wise) to implement and enforce the
controls defined within the Access Control Policy. It is the responsibility of Chief Information Security Officer
(CISO)- Mr Rakesh Saoji to monitor critical Access Rights of important business applications.
It is the responsibility of the HR function to coordinate with CISO and Functional SPOCs/HODs for User ID
management controls.
1.2 Definitions
Information System - A combination of hardware, software, infrastructure and trained personnel organized
to facilitate planning, control, coordination, and decision making in an organization.
Information system in this policy shall refer to Business applications, Support applications, Operating
Systems, Databases and Network Infrastructure.
1.3 Objective

Access to the information systems shall be controlled, based on business and security requirements and
should be commensurate with the asset classification. Access controls shall be deployed based on the
principle of “need-to-have” in order to protect the information from unauthorized access.
The objectives of the Access Control Policy are to:-
• Control access to information assets as per the business requirement;
• Prevent unauthorized access to information systems and information held within database and
application systems;
• Ensure that information access controls are implemented to meet any relevant contractual or regulatory
requirements, as applicable; and
• Implement access controls that are aligned with the information classification of the asset.
1.4 User Access Management
The allocation of access rights to information systems and services shall be done in accordance with the
requirement given by supervisor and approved by HOD. The policy encompasses all stages in the life-cycle of
user access;
• Initial registration of users;
• Transfer of users to other departments / projects/ profiles; and
• De-registration of users.
Special attention has to be given, where required, to control the allocation of privileged / administrative /
generic access rights, which could allow users to override system controls.
1.4.1 User Registration and de-registration
“User” registration, modification and de-registration for employees and Third Party Service provider
staff shall be done in accordance with authorization given by HR (for email access & user Id creation)
and by Supervisor and respective HOD (for business applications) .Following shall be ensured:
1.4.1.1. A unique user ID for all users having access to the information systems;
1.4.1.2. Any access to application and databases using group user ids shall be restricted. Any access

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 4

shall be provided only on case basis after approval from respective HODs.
1.4.1.3. Approval is obtained as per authorization from supervisor and/or HODs, prior to granting Users
access to Information systems.
1.4.1.4. Approval from the functional heads is required prior to creating Third Party Service Provider
User
1.4.1.5. Access of user accounts is either revoked or re-allocated appropriately upon inter-
departmental transfers/ change of profiles;
1.4.1.6. Immediately disabling or removing user IDs of users who have left the organization
1.4.1.7. Review of user access rights once in every six months for identifying and removing or disabling
redundant user IDs
1.4.1.8. Ensuring the redundant user IDs are not issued to other users
1.4.1.9. Access rights for creation of shared folders on the network shall be restricted to users and will
be granted only post approval of Head of Department and CISO.
1.4.2 Privilege Access Rights Management
Assignment of privileged access to user accounts / IDs on the Information systems shall be controlled
through a formal authorization process. The privilege rights for IT infrastructure management shall be
based on need to know basis and approved from CISO. The access shall be revoked post completion
of activities. CISO shall quarterly review list of privileged user access. The following shall be considered:
• The privileged access rights associated with each system or process, e.g. operating system,
database management system and each application and the users to whom they need to be
allocated should be identified;
• Privileged access rights should be allocated to users on a need-to-use basis and on an event-by
event basis in line with the access control policy i.e. based on the minimum requirement for
their functional roles;
• An authorization process and a record of all privileges allocated should be maintained.
Privileged access rights should not be granted until the authorization process is complete;
• Requirements for expiry of privileged access rights should be defined;
• Privileged access rights should be assigned to a user ID different from those used for regular
business activities. Regular business activities should not be performed from privileged ID;
• For generic administration user IDs, the confidentiality of secret authentication information
should be maintained when shared
1.4.3 Password Management
1.4.3.1 Passwords are strings of characters that are input into a system to authenticate an identity
and/or authority and/or access rights.
1.4.3.2 Appropriate technical specifications for password management, as specified in the password
management procedure shall be implemented and enforced on the information systems that
are owned and managed by Compport IT Solution.
1.4.3.3 Password will be masked
1.4.3.4 Passwords shall be stored and communicated in protected form
1.4.3.5 Select strong passwords based on the following:
• Should be at least eight alphanumeric characters long.
• Contain both upper and lower case characters (e.g., a‐z, A‐Z)
• Have digits and punctuation characters as well as letters, e.g.,0‐9,!@#$%^&*()_+|~‐
=\`{}[]:";'<>?,./)
• Should not be a word in any language, slang, dialect, jargon, etc.

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 5

• Should not be based on personal information, names of family, etc.

• Passwords should never be written down or stored online
1.4.3.6 System should force the user to change the temporary password assigned to them at the first
log-on.
1.4.3.7 Password will be set to expire after 45 days. Password expiration notification would be
informed a week in advance.
1.4.3.8 Change of the Password shall be allowed only after logging in to the system with the existing
password.
1.4.3.9 The new password should not be one from last 2 passwords.
1.4.3.10 Account should be locked out for 30 minutes after 3 unsuccessful attempts.
1.4.3.11 The locked out Account is re-set after 30 minutes.
1.4.3.12 Default passwords for applications and devices shall be changed after installation.
1.4.4 Management of Secret Authentication information of users
Secret authentication information such as passwords, cryptographic keys, smart cards etc is common
means of verifying user identity. The process should include the following:
1.4.4.1 User should keep the person secret authentication information confidential
1.4.4.2 Default/ initially allocated secret authentication information should be changed prior to first
use
1.4.4.3 Users identity should be verified and approval received from appropriate authority
1.4.4.4 Temporary secret authentication information should be given to users in a secure manner; the
use of external parties or unprotected (clear text) electronic mail messages should be avoided;
1.4.4.5 Temporary secret authentication information should be unique to an individual and should not
be guessable;
1.4.4.6 Users should acknowledge receipt of secret authentication information;
1.4.5 Review of User access rights
The review of user access rights shall take into consideration the following:-
1.4.5.1 User Accounts and corresponding access rights are reviewed once in every six months for users
having access to systems/ applications;
1.4.5.2 Authorizations for special privileged access rights are reviewed once in every quarter and
revoked as applicable;
1.4.5.3 There is a process for identifying and removing/disabling duplicate or redundant user id.
1.4.5.4 User access rights should be reviewed and re-allocated when moving from one role to another
within the same organization.
1.4.5.5 Changes to privileged accounts should be logged for quarterly review.
1.4.5.6 Access rights to shared folder shall be reviewed once in every 6 months by CISO Director
1.4.6 Removal or adjustment of access rights
All access rights to employees and Third Party Service Provider staff shall be removed upon
termination of their employment, contract, or adjusted upon change or in any other event of their
separation from Compport IT Solution.
1.5 User Responsibilities for Access Management

All employees and Third Party Service Provider staff with access to information systems are required to
understand their responsibilities for maintaining effective access controls, particularly regarding the use of
passwords and the security of user equipment. They shall follow Compport IT Solutions’s policies in the use
of secret authentication information.
DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE
Compport IT Solution
Access Control Policy 6

1.5.1 Clear Desk and Clear Screen

Automatic account lockout for 15 minutes will be implemented to lock the screen of the information
systems when left unattended. It is the responsibility of all employees and Third Party to lock their
screens when they leave it unattended.
1.5.2 Password Use
Compport IT Solution employees are required to:-
1.5.2.1 Keep their passwords confidential and refrain from sharing them with others; and
1.5.2.2 Change their passwords whenever there is any indication of a possible compromise of the
system or password.
1.5.2.3 If temporary, then change on first log-on.
1.5.2.4 Avoid keeping a record
1.5.2.5 Not to use same secret authentication information for business and non-business purposes
1.5.3 Unattended User Equipment
All employees with access to information assets shall be made aware of the information security
requirements and procedures for protecting unattended equipment. The users are required to do the
following:-
1.5.3.1 Log out from the information systems upon completion of the user activity; and
1.5.3.2 Secure the equipment in order to prevent theft.
1.6 Network Access Control

Appropriate controls for user access to networks and network services shall be applied. The controls shall
ensure that:-
• The networks and network services which are allowed to be accessed; request to access to Network
shall be approved by Supervisor.
• management controls to protect access to network connections and network services;
• the means used to access networks and network services (e.g. use of VPN or wireless network);
• user authentication requirements for accessing various network services;
• Monitoring of the use of network services.
• Business applications are accessible on the network only through the approved network services; and
• The network services which are required for business purposes are identified, documented and
approved by HOD of the user. All unnecessary network services are identified and disabled.
• In case of Visitors, no network access shall be provided post approval and segregation of network from
Corporate Network.
• Third party staff should be given access post approval from CISO.
1.6.1 Remote Access
Adequate security controls shall be implemented to authenticate the user for remote access. IT
department shall manage remote access connections and ensure that:-

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 7

1.6.1.1 Remote access connections to the Compport IT Solution network are provided to authorized
users only, and appropriate controls are implemented and enforced to maintain the
confidentiality, integrity and availability of information;
1.6.1.2 An updated list of all such users is maintained;
1.6.1.3 Remote access to Compport IT Solution’s network is allowed through secure channels only;
1.6.1.4 Remote access is allowed through pre-approved accounts only, and
1.6.1.5 Only approved remote control software is used in the network for remote connections.
1.6.2 Equipment Identification in Network
1.6.2.1 Authentication and Encryption is required for wireless connections utilizing industry best
practices.
1.6.2.2 Allowed Authentication Schemes are: WPA2-PEAP or WPA2-EAP-TLS or any latest scheme
1.6.2.3 Authentication must be machine authentication (not user authentication)
1.6.2.4 Workgroup, point-to-point and ad hoc networks are not permitted.
1.6.2.5 Employ inconspicuous SSID and AP names.
1.6.2.6 WiFi Access-Points (WAPs) shall only be installed in space owned, rented, or leased by
Compport IT Solution.
1.6.2.7 WiFi Maps shall be accurately maintained which depict access point locations and limits of
Compport IT Solution occupied space.
1.6.3 Network Routing
1.6.3.1 Internet site and file filtering must be enabled to block access to Internet sites and files deemed
inappropriate or potentially dangerous for business use.
1.6.3.2 Internal access to the Internet is to be routed through Internet access servers (proxy servers)
or network firewalls with filtering technology enabled.
1.6.3.3 Access between domains can be allowed but should be controlled at the perimeter using a
gateway e.g. a firewall or filtering router.
1.6.3.4 Any changes to the Firewall rules, or other network device configuration should be logged. It
should follow change management process.
1.7 Operating System Access Control
Adequate security controls shall be implemented on the information systems to restrict operating systems
access to authorized users only. The controls shall authenticate the authorized users and record the
successful and failed system authentication attempts.
1.7.1 Secure log-on procedure
The operating systems of servers, workstations and/ or network devices shall be controlled through a
secure log-on procedure to minimize the risk of unauthorized access. The log-on procedure shall not
disclose any system information. Log-on procedure shall:

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 8

1.7.1.1 Ensure that previous logged-on user information shall not be displayed in the login
console/window;
1.7.1.2 Validate the log-on information on completion of all input data. If an error condition arises, the
system should not display an error message which leaks the internal configurations of the
information systems;
1.7.1.3 Limit the number of unsuccessful log-on attempts to 3; and
1.7.1.4 Ensure automatic terminal lockout after a specified duration of 10 min. An exception to this
would be terminals which are under continuous monitoring.
1.7.1.5 Not display system or application identifiers until the log-on process has been successfully
completed;
1.7.1.6 Display a general notice warning that the computer should only be accessed by authorized
users;
1.7.1.7 Not provide help messages during the log-on procedure that would aid an unauthorized user;
1.7.1.8 Validate the log-on information only on completion of all input data. If an error condition arises,
the system should not indicate which part of the data is correct or incorrect;
1.7.1.9 Protect against brute force log-on attempts;
1.7.1.10 Log unsuccessful and successful attempts;
1.7.1.11 Raise a security event if a potential attempted or successful breach of log-on controls is
detected;
1.7.1.12 Display the following information on completion of a successful log-on:
1.7.1.13 Not display a password being entered; not transmit passwords in clear text over a network;
1.7.1.14 Terminate inactive sessions after a defined period of inactivity, especially in high risk locations
such as public or external areas outside the organization’s security management or on mobile
devices;
1.7.1.15 Restrict connection times to provide additional security for high-risk applications and reduce
the window of opportunity for unauthorized access.
1.7.2 User Identification and Authentication
1.7.2.1 Refer to section 1.4 of this policy for User Identity management;
1.7.2.2 Appropriate authentication mechanisms shall be implemented for all systems based on
identified security needs.
1.7.3 Use of privileged system Utilities
Use of utility programs that could override the system and application controls shall be restricted and
tightly controlled and only authorized utilities shall be used for remote management (of the servers,
workstations and network devices). Activities carried out by using such utilities are logged. The
following shall be considered:
• use of identification, authentication and authorization procedures for utility programs;
• segregation of utility programs from applications software;
• limitation of the use of utility programs to the minimum practical number of trusted, authorized
users ;
• authorization for ad hoc use of utility programs;
• limitation of the availability of utility programs,
• logging of all use of utility programs;
• defining and documenting of authorization levels for utility programs;
• removal or disabling of all unnecessary utility programs;

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE

Compport IT Solution
Access Control Policy 9

• Not making utility programs available to users who have access to applications on systems
where segregation of duties is required.
1.7.4 Session Time-out
Information systems and applications that are accessed from external networks and Internet shall be
equipped with session time-out controls to clear the session screen and terminate the application
sessions after a specified duration of inactivity.
1.8 System and Application Access Control
• Access to information and application systems shall be restricted to authorized users only as per the
policy. The appropriate security controls shall be used to restrict access to Compport IT Solution’s
information systems.
• Access to systems and application shall be controlled by secure log-on procedures
• Password management procedure shall be implemented to ensure quality passwords
• Use of utility programs capable of overriding system and applications controls shall be restricted and
tightly controlled.
• Access to program code shall be restricted through following means:
o Access to source code should be restricted to authorized users only
o Updating of source code should be performed after receipt of proper approvals
o An audit log of all activities for source codes should be maintained
o Copying of program codes should be subject to change control procedures
o Developer shall not have access to production environment and segregation of duties shall be
implemented as appropriate
1.9 Reference

• ISMS 27001:2013: Annexure A

DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE