Access Control Policy - 003 - V1.0
Access Control Policy - 003 - V1.0
Access Control Policy - 003 - V1.0
Version 1.0
Document Control
Version
Revision Date Nature of Change Date Approved
No.
V 1.0
Table of Contents
1. ACCESS CONTROL POLICY ....................................................................................................... 3
1.1 RESPONSIBILITY ........................................................................................................................ 3
1.2 DEFINITIONS ............................................................................................................................. 3
1.3 OBJECTIVE ................................................................................................................................. 3
1.4 USER ACCESS MANAGEMENT................................................................................................... 3
1.4.1 User Registration and de-registration................................................................................. 3
1.4.2 Privilege Access Rights Management ................................................................................. 4
1.4.3 Password Management ...................................................................................................... 4
1.4.4 Management of Secret Authentication information of users ............................................. 5
1.4.5 Review of User access rights ............................................................................................... 5
1.4.6 Removal or adjustment of access rights ............................................................................. 5
1.5 USER RESPONSIBILITIES FOR ACCESS MANAGEMENT ............................................................. 5
1.5.1 Clear Desk and Clear Screen ................................................................................................ 6
1.5.2 Password Use ...................................................................................................................... 6
1.5.3 Unattended User Equipment............................................................................................... 6
1.6 NETWORK ACCESS CONTROL ................................................................................................... 6
1.6.1 Remote Access .................................................................................................................... 6
1.6.2 Equipment Identification in Network .................................................................................. 7
1.6.3 Network Routing ................................................................................................................. 7
1.7 OPERATING SYSTEM ACCESS CONTROL ................................................................................... 7
1.7.1 Secure log-on procedure ..................................................................................................... 7
1.7.2 User Identification and Authentication ............................................................................... 8
1.7.3 Use of privileged system Utilities ........................................................................................ 8
1.7.4 Session Time-out ................................................................................................................. 9
1.8 SYSTEM AND APPLICATION ACCESS CONTROL ........................................................................ 9
1.9 REFERENCE ................................................................................................................................ 9
• ISMS 27001:2013: Annexure A .................................................................................................. 9
Access to the information systems shall be controlled, based on business and security requirements and
should be commensurate with the asset classification. Access controls shall be deployed based on the
principle of “need-to-have” in order to protect the information from unauthorized access.
The objectives of the Access Control Policy are to:-
• Control access to information assets as per the business requirement;
• Prevent unauthorized access to information systems and information held within database and
application systems;
• Ensure that information access controls are implemented to meet any relevant contractual or regulatory
requirements, as applicable; and
• Implement access controls that are aligned with the information classification of the asset.
1.4 User Access Management
The allocation of access rights to information systems and services shall be done in accordance with the
requirement given by supervisor and approved by HOD. The policy encompasses all stages in the life-cycle of
user access;
• Initial registration of users;
• Transfer of users to other departments / projects/ profiles; and
• De-registration of users.
Special attention has to be given, where required, to control the allocation of privileged / administrative /
generic access rights, which could allow users to override system controls.
1.4.1 User Registration and de-registration
“User” registration, modification and de-registration for employees and Third Party Service provider
staff shall be done in accordance with authorization given by HR (for email access & user Id creation)
and by Supervisor and respective HOD (for business applications) .Following shall be ensured:
1.4.1.1. A unique user ID for all users having access to the information systems;
1.4.1.2. Any access to application and databases using group user ids shall be restricted. Any access
shall be provided only on case basis after approval from respective HODs.
1.4.1.3. Approval is obtained as per authorization from supervisor and/or HODs, prior to granting Users
access to Information systems.
1.4.1.4. Approval from the functional heads is required prior to creating Third Party Service Provider
User
1.4.1.5. Access of user accounts is either revoked or re-allocated appropriately upon inter-
departmental transfers/ change of profiles;
1.4.1.6. Immediately disabling or removing user IDs of users who have left the organization
1.4.1.7. Review of user access rights once in every six months for identifying and removing or disabling
redundant user IDs
1.4.1.8. Ensuring the redundant user IDs are not issued to other users
1.4.1.9. Access rights for creation of shared folders on the network shall be restricted to users and will
be granted only post approval of Head of Department and CISO.
1.4.2 Privilege Access Rights Management
Assignment of privileged access to user accounts / IDs on the Information systems shall be controlled
through a formal authorization process. The privilege rights for IT infrastructure management shall be
based on need to know basis and approved from CISO. The access shall be revoked post completion
of activities. CISO shall quarterly review list of privileged user access. The following shall be considered:
• The privileged access rights associated with each system or process, e.g. operating system,
database management system and each application and the users to whom they need to be
allocated should be identified;
• Privileged access rights should be allocated to users on a need-to-use basis and on an event-by
event basis in line with the access control policy i.e. based on the minimum requirement for
their functional roles;
• An authorization process and a record of all privileges allocated should be maintained.
Privileged access rights should not be granted until the authorization process is complete;
• Requirements for expiry of privileged access rights should be defined;
• Privileged access rights should be assigned to a user ID different from those used for regular
business activities. Regular business activities should not be performed from privileged ID;
• For generic administration user IDs, the confidentiality of secret authentication information
should be maintained when shared
1.4.3 Password Management
1.4.3.1 Passwords are strings of characters that are input into a system to authenticate an identity
and/or authority and/or access rights.
1.4.3.2 Appropriate technical specifications for password management, as specified in the password
management procedure shall be implemented and enforced on the information systems that
are owned and managed by Compport IT Solution.
1.4.3.3 Password will be masked
1.4.3.4 Passwords shall be stored and communicated in protected form
1.4.3.5 Select strong passwords based on the following:
• Should be at least eight alphanumeric characters long.
• Contain both upper and lower case characters (e.g., a‐z, A‐Z)
• Have digits and punctuation characters as well as letters, e.g.,0‐9,!@#$%^&*()_+|~‐
=\`{}[]:";'<>?,./)
• Should not be a word in any language, slang, dialect, jargon, etc.
All employees and Third Party Service Provider staff with access to information systems are required to
understand their responsibilities for maintaining effective access controls, particularly regarding the use of
passwords and the security of user equipment. They shall follow Compport IT Solutions’s policies in the use
of secret authentication information.
DOC NO: COMPPORT/IT/ACP/2018/003 INTERNAL USE
Compport IT Solution
Access Control Policy 6
Appropriate controls for user access to networks and network services shall be applied. The controls shall
ensure that:-
• The networks and network services which are allowed to be accessed; request to access to Network
shall be approved by Supervisor.
• management controls to protect access to network connections and network services;
• the means used to access networks and network services (e.g. use of VPN or wireless network);
• user authentication requirements for accessing various network services;
• Monitoring of the use of network services.
• Business applications are accessible on the network only through the approved network services; and
• The network services which are required for business purposes are identified, documented and
approved by HOD of the user. All unnecessary network services are identified and disabled.
• In case of Visitors, no network access shall be provided post approval and segregation of network from
Corporate Network.
• Third party staff should be given access post approval from CISO.
1.6.1 Remote Access
Adequate security controls shall be implemented to authenticate the user for remote access. IT
department shall manage remote access connections and ensure that:-
1.6.1.1 Remote access connections to the Compport IT Solution network are provided to authorized
users only, and appropriate controls are implemented and enforced to maintain the
confidentiality, integrity and availability of information;
1.6.1.2 An updated list of all such users is maintained;
1.6.1.3 Remote access to Compport IT Solution’s network is allowed through secure channels only;
1.6.1.4 Remote access is allowed through pre-approved accounts only, and
1.6.1.5 Only approved remote control software is used in the network for remote connections.
1.6.2 Equipment Identification in Network
1.6.2.1 Authentication and Encryption is required for wireless connections utilizing industry best
practices.
1.6.2.2 Allowed Authentication Schemes are: WPA2-PEAP or WPA2-EAP-TLS or any latest scheme
1.6.2.3 Authentication must be machine authentication (not user authentication)
1.6.2.4 Workgroup, point-to-point and ad hoc networks are not permitted.
1.6.2.5 Employ inconspicuous SSID and AP names.
1.6.2.6 WiFi Access-Points (WAPs) shall only be installed in space owned, rented, or leased by
Compport IT Solution.
1.6.2.7 WiFi Maps shall be accurately maintained which depict access point locations and limits of
Compport IT Solution occupied space.
1.6.3 Network Routing
1.6.3.1 Internet site and file filtering must be enabled to block access to Internet sites and files deemed
inappropriate or potentially dangerous for business use.
1.6.3.2 Internal access to the Internet is to be routed through Internet access servers (proxy servers)
or network firewalls with filtering technology enabled.
1.6.3.3 Access between domains can be allowed but should be controlled at the perimeter using a
gateway e.g. a firewall or filtering router.
1.6.3.4 Any changes to the Firewall rules, or other network device configuration should be logged. It
should follow change management process.
1.7 Operating System Access Control
Adequate security controls shall be implemented on the information systems to restrict operating systems
access to authorized users only. The controls shall authenticate the authorized users and record the
successful and failed system authentication attempts.
1.7.1 Secure log-on procedure
The operating systems of servers, workstations and/ or network devices shall be controlled through a
secure log-on procedure to minimize the risk of unauthorized access. The log-on procedure shall not
disclose any system information. Log-on procedure shall:
1.7.1.1 Ensure that previous logged-on user information shall not be displayed in the login
console/window;
1.7.1.2 Validate the log-on information on completion of all input data. If an error condition arises, the
system should not display an error message which leaks the internal configurations of the
information systems;
1.7.1.3 Limit the number of unsuccessful log-on attempts to 3; and
1.7.1.4 Ensure automatic terminal lockout after a specified duration of 10 min. An exception to this
would be terminals which are under continuous monitoring.
1.7.1.5 Not display system or application identifiers until the log-on process has been successfully
completed;
1.7.1.6 Display a general notice warning that the computer should only be accessed by authorized
users;
1.7.1.7 Not provide help messages during the log-on procedure that would aid an unauthorized user;
1.7.1.8 Validate the log-on information only on completion of all input data. If an error condition arises,
the system should not indicate which part of the data is correct or incorrect;
1.7.1.9 Protect against brute force log-on attempts;
1.7.1.10 Log unsuccessful and successful attempts;
1.7.1.11 Raise a security event if a potential attempted or successful breach of log-on controls is
detected;
1.7.1.12 Display the following information on completion of a successful log-on:
1.7.1.13 Not display a password being entered; not transmit passwords in clear text over a network;
1.7.1.14 Terminate inactive sessions after a defined period of inactivity, especially in high risk locations
such as public or external areas outside the organization’s security management or on mobile
devices;
1.7.1.15 Restrict connection times to provide additional security for high-risk applications and reduce
the window of opportunity for unauthorized access.
1.7.2 User Identification and Authentication
1.7.2.1 Refer to section 1.4 of this policy for User Identity management;
1.7.2.2 Appropriate authentication mechanisms shall be implemented for all systems based on
identified security needs.
1.7.3 Use of privileged system Utilities
Use of utility programs that could override the system and application controls shall be restricted and
tightly controlled and only authorized utilities shall be used for remote management (of the servers,
workstations and network devices). Activities carried out by using such utilities are logged. The
following shall be considered:
• use of identification, authentication and authorization procedures for utility programs;
• segregation of utility programs from applications software;
• limitation of the use of utility programs to the minimum practical number of trusted, authorized
users ;
• authorization for ad hoc use of utility programs;
• limitation of the availability of utility programs,
• logging of all use of utility programs;
• defining and documenting of authorization levels for utility programs;
• removal or disabling of all unnecessary utility programs;
• Not making utility programs available to users who have access to applications on systems
where segregation of duties is required.
1.7.4 Session Time-out
Information systems and applications that are accessed from external networks and Internet shall be
equipped with session time-out controls to clear the session screen and terminate the application
sessions after a specified duration of inactivity.
1.8 System and Application Access Control
• Access to information and application systems shall be restricted to authorized users only as per the
policy. The appropriate security controls shall be used to restrict access to Compport IT Solution’s
information systems.
• Access to systems and application shall be controlled by secure log-on procedures
• Password management procedure shall be implemented to ensure quality passwords
• Use of utility programs capable of overriding system and applications controls shall be restricted and
tightly controlled.
• Access to program code shall be restricted through following means:
o Access to source code should be restricted to authorized users only
o Updating of source code should be performed after receipt of proper approvals
o An audit log of all activities for source codes should be maintained
o Copying of program codes should be subject to change control procedures
o Developer shall not have access to production environment and segregation of duties shall be
implemented as appropriate
1.9 Reference