Vous êtes sur la page 1sur 3

DOCUMENT NO:

REVISION NO:
EFFECTIVE DATE:
PAGE NO:
PREPARED BY:
APPROVED BY:
IT-07
0
1-August-2009
1 o !
"o#g C$%# C$u&#
'() "o*+ C$&&
GRANTING, REVOKING, CHANGING and REVIEWING USER ACCESS
1.0 PURPOSE:
1.1 To establish and maintain a procedure defining the process of establishing, revoking, and
changing User access to Company information systems.
2.0 SCOPE:
2.1 Establish and maintain a procedure defining a regular scheduled review of all system
access.
3.0 REFERENCES:
.1 !T"#1 $Company Electronic %ata &olicy'
.2 !T"#2 $!T &assword (tandards'
. !T"# $(ystem )dministrator &olicy'
4.0 DEFINITIONS:
*.1 !T + !nformation Technology
5.0 EHI!ITS:
,.1 -one
".0 RESPONSI!I#ITIES:
..1 Corporate !T /roup
" Ensuring that !T develops and implements appropriate policies, practices and
procedures on a company wide basis.
" Ensuring that regional !T management implements and ensures compliance to this
policy and all related practices and procedures.
" Ensuring that the policy, practices and procedures are maintained.
..2 !T 0anagement
" Ensuring all staff in their area of responsibility is familiar with and complies with all
policies practices and procedures.
" )uthori1es all security re2uests for (ystem )dministration type access.
" Ensuring that local procedures in support of the corporate policy are maintained.
.. %epartment 0anagers
" 3iaise with 4uman 5esources to define security re2uirements for all staff members.
2!-MAY-1,
DOCUMENT NO:
REVISION NO:
EFFECTIVE DATE:
PAGE NO:
PREPARED BY:
APPROVED BY:
IT-07
0
1-August-2009
2 o !
"o#g C$%# C$u&#
'() "o*+ C$&&
" -otify 45 and !T of all new hires, terminations, and 6ob function changes in a timely
manner.
..* 4uman 5esources
" -otifying !T (ecurity )dministrator of all re2uests for access to Company
information systems, or changes to e7isting access.
" -otifying !T (ecurity )dministrator of all employees leaving the Company of a
timely basis. This is to include 0aternity leave, (hort83ong term disability, layoffs,
etc.
.., !T Employees 5esponsible for (ecurity )dministration $!nfrastructure 9 )pplication'
" Creating, changing and revoking user access on a timely basis
" /aining approval for all (ecurity re2uests from the designated data8system owners.
" 0aintaining a log of all security re2uests.
" Conducting a scheduled yearly review of all system access by providing the
designated data8 system owners with a system access report for their review.
" Conducting a review of all system8application access after any ma6or Company
changes8realignments.
" Conducting a review of all system access after any new system installs or ma6or
upgrades by providing the designated data8system owner with a system access report
for their review.
... :usiness8%ata ;wners
" %ocumenting system segregation of duty access rules
" )pproving security access re2uests
" &articipate as re2uired by the !T %epartment in the scheduled reviews of system
access rights granted to the system users.
$.0 PROCEDURE:
<.1 )ccess to Company information systems will be assigned with only the rights re2uired to
do individual 6ob functions.
<.2 )ccess will be assigned in accordance with documented segregation of duty rules
approved by the data 8 system owners.
<. /eneric accounts or so"called =group logons> are not permitted, as these could
potentially allow several users to access !T resources without any clear individual
accountability. )ccess must only be provided on an individual basis, with each user
account being uni2ue to a named person with only sufficient access to do what they
need to do in the normal course of their duties.
<.* !t is recogni1ed that certain users $e.g., (ystem )dministrators' may have the ability to
access data contained in a system without being an authori1ed user of the system itself.
(pecial care must be taken in these cases, as outlined in !T"# (ystem )dministrator
&olicy.
2!-MAY-1,
DOCUMENT NO:
REVISION NO:
EFFECTIVE DATE:
PAGE NO:
PREPARED BY:
APPROVED BY:
IT-07
0
1-August-2009
! o !
"o#g C$%# C$u&#
'() "o*+ C$&&
<., !T staff that have specific security administration responsibilities must have specific and
appropriate training re2uired to perform their role.
%.0 PROCESS:
?.1 4uman 5esources working with %epartment 0anagers will notify the !T department via
email of all re2uests for access to Company information systems. This is to include all
employee 6ob changes, i.e., movements to other departments or divisions, 6ob
responsibility changes, maternity leave, layoffs, etc. !T must be informed via email of all
employees leaving the Company.
?.2 %ata ;wners will be solicited for approval for all access to )pplication data. !T will
maintain an approval matri7 outlining e7act data ownership.
?. !nformation (ecurity )dministrators will add8change8revoke all user access to Company
information systems on a timely and accurate manner.
?.* 4uman 5esources, %ata ;wners, and !nformation (ecurity )dministrators will all
participate in regular scheduled reviews of all system and application access rights that
have been granted. These reviews will be logged for audit purposes.
&.0 REVISION HISTOR':
R() *
S(+.,Pa-(
N.
Na/(
C0an-(
Da1(
C0an-(2
# " 4ong Chan Chuen ."@uly"#A -ew
2!-MAY-1,