22.5 User Access ManagementThe obje

22.5 User Access Management
The objective of this Policy is to prevent unauthorized access to information systems. This Policy comprises the following controls: -
i. User registration
ii. User ID deletion
iii. Review of user access rights
iv. Suspension of user access
22.5.1 User Registration
User and external agencies are given a clear statement of the business requirements to be met by access controls. Access to multi-user information systems including applications, databases, operating systems and networking resources are controlled through a formal user registration process. User registration or deregistration procedure addresses the following aspects:
a) User registration form is used to create the users in the system. The user access for internal users is authorized by the Business / Information Owners as well as head of departments of the respective department to which the user belongs.
b) All users must be provided with unique user IDs so that user can be linked to and made accountable for their actions. A standard naming convention is adopted for creating the user IDs.
c) The use of group IDs/passwords to access the information systems is not permitted unless there is a business requirement and this is to be approved by GIOD IT Security.
d) Proper registration procedures are to be followed to create users for all systems and networking resources.
e) The Business / Information owner authorizing user registration is to ascertain that the level of access granted is appropriate to the business purpose and is consistent with the relevant security policy.
f) Level of access to be granted to the users must take into account the following considerations:
(i) Security requirements of all systems and IS resources.
(ii) Identification of sensitive information related to all systems and IT resources.
(iii) Policies for information dissemination and authorization, e.g. the need to know/need-to-do security levels and classification of information.
g) Access to third-party representatives must not be provided.
h) A formal record of all persons registered to use the services/applications is to be maintained.
i) IT Security must be informed of the employee’s discontinuance of work, or other status, so that access rights to such employees can be adequately and appropriately restricted.
j) An employee can only be released upon clearance from HR and HR has informed IT Security to disabled the access rights of the employee.
k) A monthly housekeeping of the user accounts must be conducted by IT Security and to cover the following. The report of such review is to be maintained for review.
(i) Review the access rights of users who have left the organization to ensure that the rights have been removed
(ii) Access rights of users who have been transferred to different locations, different departments, different divisions, different team, are to be reviewed in light of changed job requirement and accordingly modified in the system.
(iii) A check needs to be carried out by the system administrator for identifying and removing redundant user IDs and accounts
l) Normal users are not allowed to change user settings, which include the following:-
(i) Password rules
(ii) Change user settings/profile including user rank and type
m) Restrict the ability to change the following settings by the system administrator:
(i) Create/change configurations file
(ii) User access to application modules