Professional Documents
Culture Documents
Confidential
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 1 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
Document Statistics
Document approvers
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 2 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 3 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
Index
1. PURPOSE.................................................................................................................................................5
2. SCOPE......................................................................................................................................................5
4. TAILORING GUIDELINES....................................................................................................................5
6. MEASUREMENTS...............................................................................................................................12
7. OBJECTIVE EVIDENCE......................................................................................................................12
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 4 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
1. PURPOSE
Logical access to information systems must be controlled. Access control standards must be clearly
defined and implemented for information systems.
2. SCOPE
This policy applies to all Temporary Staff, Employees, Process Owners and clients who have or have
been granted logical access to Osource India Pvt Ltd resources. All are expected to be familiar with and
comply with this policy.
1. IS Information Systems
2. CD Compact Disk
4. TAILORING GUIDELINES
Not applicable
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 5 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
Users must be granted access to information, data and applications strictly on a "need to know"
basis.
Access to information services must be controlled by using unique User IDs, wherever possible,
so that each user can be made responsible for their actions.
User access rights to applications and data must be assigned only by the application
administrator, on receipt of the filled in Access Request form approved from his supervisor as
well as from the HOD of the person requesting access. All access requests must include the
purpose for access.
The Application Owners must be responsible for defining and maintaining access control lists
for applications and data. They must ensure that the level of access granted is appropriate to
business requirements.
If for any reason, a user’s access rights need to be modified or revoked, the respective supervisor
must send an intimation of the same in access request form / Email request to the Application
administrator. The application administrator shall then accordingly modify/revoke the access
rights.
Users must be required to re-authenticate themselves after a specific period of inactivity. All
applications wherever possible will use inactivity timeout for sensitive applications.
Access Logs must be monitored and reviewed on a weekly basis. All access alerts must be
reviewed on a daily basis and report submitted on a daily basis. In case of breaches, Incident
must be reported to the ISM.
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 6 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
User Ids must follow a standard naming convention for all computer systems to facilitate user
identification. Naming conventions will cover all end users, contractors, consultants and
vendors.
The Application / System Administrators are responsible for identifying Inactive accounts or
accounts that have not been used for a long duration and disabling them.
If a user account has been inactive for more than 30 days, the system should automatically
disable the account, wherever possible. The system administrator must reactivate the account
only after receiving a written request from the user and approval regarding the same from his
supervisor.
System Administrator must logon using their normal User Id when performing regular work
duties rather than logging in as the Administrator. Use of Administrator profile must be limited
to administrative activities only.
“Guest” accounts and other default accounts must be disabled on all servers, where ever
applicable.
The minimum length of passwords must be set as 8 alphanumeric characters with at least one
Special Character where ever applicable.
A password expiration period of 42 days will be set, so that users are forced to change their
passwords every 42 days.
The system must force the user to change the password at the time of the initial logon, where
ever possible.
Default passwords, of all systems or applications must be changed at the first logon.
All users must be made to sign an undertaking to keep passwords confidential and acknowledge
liability for transactions done using their passwords.
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 7 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
Passwords must never be displayed in clear text or stored in readable form in batch files in
automatic login scripts or in other locations.
Exceptions to the password management policies may be granted for certain legacy applications
and customized vendor-specific applications.
After having logged on, all end users of multi-user systems must be kept in menus that show
only the options that they have been authorized to select.
Information System users must not test, or attempt to compromise controls, unless specifically
authorized to do so in advance, and in writing, by ISSC.
Every Osource India Pvt Ltd multi-user computer system will have a designated security
administrator to define user privileges, monitor access control logs and perform similar
activities.
Management in each organizational unit will assume responsibility for the proper confidentiality
classification, criticality rating, use and protection of information it owns, possesses and uses.
Management is responsible for identifying variances from generally accepted information system
control practices and promptly initiating corrective action.
Management in each department is responsible to make sure that all new associates have
completed an approved information security awareness course within One months of the time
that they join Osoure India Pvt Ltd.
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 8 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
System Adminstrator will be responsible for creation, population and deletion of global and
universal security groups within Active Directory.
The owners of Active Directory security groups will be responsible for certification of
membership and access rights. Owners will recertify the membership of these groups with a
frequency set by Information Security.
Changing the Active Directory context of a security group, i.e. making one group a new member
of another group, requires Information Security to review the effective change in security that
will result. A description of the effective change will be presented to each group owner
involved. The change cannot be adopted without the permission of each group owner involved.
Service account creation, deletion and edits are based on the change management controls within
Active Directory groups.
All desktops and laptops must have a power-on password when initially "booting-up" the
system.
Floppy drives on all end-user machines must be disabled, wherever possible, to prevent copying
of Osource India Pvt Ltd data for unauthorized use.
All desktops and Laptops must have up-to-date anti-virus software installed. The System
Administrator must ensure that updated anti-virus software is installed in all Desktops and
Laptops.
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 9 of 12 PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
The folders or disk drives in individual desktops or laptops must not be shared unless appropriate
access controls have been enabled on the folder or the disk drive. Sharing of any information
classified as restricted or confidential is not permitted.
Necessary precautions should be taken by laptop users to ensure privacy and confidentiality of
Osource India Pvt Ltd data contained in laptop hard disk.
CD writer and USB port will be disabled / removed from all the desktops. Exception:
Permissible rights shall be granted to ISM and ISM core team upon approval {email / Verbal}
from CTO.
Any removable media devices, such as CD Writers, USB and Tape Backups must not be
provided for individual desktops or laptops unless authorized in writing by the immediate
controlling authority. Exception: Permissible rights shall be granted to ISM and ISM core team
upon approval {email / Verbal} from CTO.
It is the responsibility of the user of computer equipment to ensure that it is not logged in before
leaving any equipment unattended.
Inactive terminals must be set to a time out of 2 minutes where ever Applicable.
Users should not get access to database system prompt while connecting to intranet application
or any application menu.
The DBMS security features should co-ordinate with those of the external application or system
to ensure that one does not overwrite the other in undesirable ways.
Verify backup and recovery of security database. Access to the document mentioning the version
and program changes shall be granted to database administrators who are the owners of this
document.
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 10 of PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
If a third party person needs to have access to database, it shall be assigned on a temporary basis
and shall be revoked once work is done. Records of the assigned rights should be maintained.
User ids with high-level access privileges must only be used in the event of emergency.
Passwords of such user Ids must be available with the HOD in encrypted format. This will
ensure that an authorized employee has access to this password, in the event that the concerned
person cannot be reached during an emergency.
All emergency actions, which bypass normal access control procedures, must be logged and
reported for immediate review by CTO / ISM
Access to system utilities must be restricted to authorized personnel in accordance with their
business functions and business needs.
The use of all system utilities must be logged and regularly reviewed by IS team.
It must be ensured that normal users do not have access rights to use utilities. Any backend
update to the data using SQL / similar utilities must done only after prior written approval from
IS department.
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 11 of PO/LOACPO/V01
Osource India Pvt Ltd Policy for Logical Access Control
Confidential
6. MEASUREMENTS
Not Applicable
7. OBJECTIVE EVIDENCE
Responsibilities Matrix
Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 12 of PO/LOACPO/V01