Osource India Pvt Ltd Policy for Logical Access Control

Confidential

Logical Access Control Policy

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 1 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

Document Statistics

Type Of Information Document Data

Document Title Logical Access Control Policy
Document Code PO/LOACPO/V01
Date of Release 29th July 2013

Document Revision No 1st release of document

Document Owner CTO
Documents Author(s) ISM
Document Change Reviewer CTO
Security Classification Confidential
Document Status Approved

Document approvers

Sr. No Approver Approver Contact(Email)

1 Director Mr. Devendra Murkute
(devendra.murkute@osourceindia.com)

Document Change Approvals

Version Revision Date Nature of Change Date Approved

Number

1 29th July 2013 Initial Release 28th July 2013

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 2 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

Document Contact Point

Sr. No. Document/Process Document Author Document Primary

Focal Point

1 Logical Access Control ISM QMS folder on file server

Policy

Document Reference List

Sr. No Reference No. Document Name Effective date

1 PR/LOACPR/V01 Logical Access Control Procedure 29th July 2013

2 PO/ISMSO/V01 Security Policy ( ISMS Overview) 29th July 2013

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 3 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

Index

1. PURPOSE.................................................................................................................................................5

2. SCOPE......................................................................................................................................................5

3. ABBREVIATIONS AND DEFINITIONS..............................................................................................5

4. TAILORING GUIDELINES....................................................................................................................5

5. POLICY & GUIDELINES.......................................................................................................................6

5.1 Managing User Access.....................................................................................................................6

5.1.1 User Access to Information, Data and Application..................................................................6

5.1.2 Access Logs..............................................................................................................................6

5.1.3 Managing User Ids...................................................................................................................7

5.1.4 Password Management.............................................................................................................7

5.1.5 System Access/Management....................................................................................................8

5.1.6 Active Directory Groups..........................................................................................................9

5.1.7 Service Accounts......................................................................................................................9

5.2 Ensuring Logical Security On Laptops And Desktops....................................................................9

5.2.1 Securing information on Laptops and Desktops......................................................................9

5.2.2 Security of Unattended User Equipment................................................................................10

5.3 Database Security...........................................................................................................................10

5.4 Controlling Privileged User Ids......................................................................................................11

5.4.1 Use of privileged user IDs......................................................................................................11

5.5 Use Of Sensitive System Utilities..................................................................................................11

5.5.1 Restricting use of System Utilities.........................................................................................11

6. MEASUREMENTS...............................................................................................................................12

7. OBJECTIVE EVIDENCE......................................................................................................................12

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 4 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

1. PURPOSE

Logical access to information systems must be controlled. Access control standards must be clearly
defined and implemented for information systems.

2. SCOPE

This policy applies to all Temporary Staff, Employees, Process Owners and clients who have or have
been granted logical access to Osource India Pvt Ltd resources. All are expected to be familiar with and
comply with this policy.

3. ABBREVIATIONS AND DEFINITIONS

Sr. No. Abbreviation/Definition Explanation

1. IS Information Systems

2. CD Compact Disk

3. HOD Head of the Department

4. ISM Information Security Manager

4. TAILORING GUIDELINES

Not applicable

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 5 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

5. POLICY & GUIDELINES

5.1. Managing User Access

5.1.1 User Access to Information, Data and Application

Users must be granted access to information, data and applications strictly on a "need to know"
basis.

Access to information services must be controlled by using unique User IDs, wherever possible,
so that each user can be made responsible for their actions.

User access rights to applications and data must be assigned only by the application
administrator, on receipt of the filled in Access Request form approved from his supervisor as
well as from the HOD of the person requesting access. All access requests must include the
purpose for access.

The Application Owners must be responsible for defining and maintaining access control lists
for applications and data. They must ensure that the level of access granted is appropriate to
business requirements.

If for any reason, a user’s access rights need to be modified or revoked, the respective supervisor
must send an intimation of the same in access request form / Email request to the Application
administrator. The application administrator shall then accordingly modify/revoke the access
rights.

Users must be required to re-authenticate themselves after a specific period of inactivity. All
applications wherever possible will use inactivity timeout for sensitive applications.

5.1.2 Access Logs

Access Logs must be monitored and reviewed on a weekly basis. All access alerts must be
reviewed on a daily basis and report submitted on a daily basis. In case of breaches, Incident
must be reported to the ISM.

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 6 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

5.1.3 Managing User Ids

User Ids must follow a standard naming convention for all computer systems to facilitate user
identification. Naming conventions will cover all end users, contractors, consultants and
vendors.

The Application / System Administrators are responsible for identifying Inactive accounts or
accounts that have not been used for a long duration and disabling them.

If a user account has been inactive for more than 30 days, the system should automatically
disable the account, wherever possible. The system administrator must reactivate the account
only after receiving a written request from the user and approval regarding the same from his
supervisor.

System Administrator must logon using their normal User Id when performing regular work
duties rather than logging in as the Administrator. Use of Administrator profile must be limited
to administrative activities only.

“Guest” accounts and other default accounts must be disabled on all servers, where ever
applicable.

5.1.4 Password Management

The minimum length of passwords must be set as 8 alphanumeric characters with at least one
Special Character where ever applicable.

A password expiration period of 42 days will be set, so that users are forced to change their
passwords every 42 days.

The system must force the user to change the password at the time of the initial logon, where
ever possible.

User Ids must be locked after 3 incorrect password attempts.

Default passwords, of all systems or applications must be changed at the first logon.

A password history of last 5 passwords must be maintained.

All users must be made to sign an undertaking to keep passwords confidential and acknowledge
liability for transactions done using their passwords.

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 7 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

Passwords must never be displayed in clear text or stored in readable form in batch files in
automatic login scripts or in other locations.

Exceptions to the password management policies may be granted for certain legacy applications
and customized vendor-specific applications.

5.1.5 System Access/Management

After having logged on, all end users of multi-user systems must be kept in menus that show
only the options that they have been authorized to select.

Information System users must not test, or attempt to compromise controls, unless specifically
authorized to do so in advance, and in writing, by ISSC.

Every Osource India Pvt Ltd multi-user computer system will have a designated security
administrator to define user privileges, monitor access control logs and perform similar
activities.

Management in each organizational unit will assume responsibility for the proper confidentiality
classification, criticality rating, use and protection of information it owns, possesses and uses.

Management is responsible for implementing information system controls consistent with

generally accepted practices, as well as consistent with the confidentiality, value and criticality
of the information being handled.

Management is responsible for identifying variances from generally accepted information system
control practices and promptly initiating corrective action.

Management in each department is responsible to make sure that all new associates have
completed an approved information security awareness course within One months of the time
that they join Osoure India Pvt Ltd.

If proprietary data is lost, disclosed to unauthorized parties or is suspected of being lost or

disclosed to unauthorized parties, its owner and Information Security Manager will be notified
immediately.

If sensitive customer information is lost, disclosed to unauthorized parties or is suspected of

being lost or disclosed to unauthorized parties, the Legal Department will be notified
immediately.

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 8 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

5.1.6 Active Directory Groups

System Adminstrator will be responsible for creation, population and deletion of global and
universal security groups within Active Directory.

The owners of Active Directory security groups will be responsible for certification of
membership and access rights. Owners will recertify the membership of these groups with a
frequency set by Information Security.

Changing the Active Directory context of a security group, i.e. making one group a new member
of another group, requires Information Security to review the effective change in security that
will result. A description of the effective change will be presented to each group owner
involved. The change cannot be adopted without the permission of each group owner involved.

5.1.7 Service Accounts

Service account requests will be generated by an authorized individual only.

Service accounts will be reviewed periodically by Information Security Manager to determine if

security changes are required.

Service account creation, deletion and edits are based on the change management controls within
Active Directory groups.

5.2. Ensuring Logical Security on Laptops and Desktops

5.2.1. Securing information on Laptops and Desktops

All desktops and laptops must have a power-on password when initially "booting-up" the
system.

Floppy drives on all end-user machines must be disabled, wherever possible, to prevent copying
of Osource India Pvt Ltd data for unauthorized use.

All desktops and Laptops must have up-to-date anti-virus software installed. The System
Administrator must ensure that updated anti-virus software is installed in all Desktops and
Laptops.

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 9 of 12 PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

The folders or disk drives in individual desktops or laptops must not be shared unless appropriate
access controls have been enabled on the folder or the disk drive. Sharing of any information
classified as restricted or confidential is not permitted.

Necessary precautions should be taken by laptop users to ensure privacy and confidentiality of
Osource India Pvt Ltd data contained in laptop hard disk.

CD writer and USB port will be disabled / removed from all the desktops. Exception:
Permissible rights shall be granted to ISM and ISM core team upon approval {email / Verbal}
from CTO.

Any removable media devices, such as CD Writers, USB and Tape Backups must not be
provided for individual desktops or laptops unless authorized in writing by the immediate
controlling authority. Exception: Permissible rights shall be granted to ISM and ISM core team
upon approval {email / Verbal} from CTO.

5.2.2. Security of Unattended User Equipment

It is the responsibility of the user of computer equipment to ensure that it is not logged in before
leaving any equipment unattended.

All active sessions should be terminated, when finished.

Inactive terminals must be set to a time out of 2 minutes where ever Applicable.

5.3. Database Security

The access to database and privileges shall be restricted to database administrators.

Users should not get access to database system prompt while connecting to intranet application
or any application menu.

The DBMS security features should co-ordinate with those of the external application or system
to ensure that one does not overwrite the other in undesirable ways.

Restrict access to DBMS utilities to those authorized to maintain the database

Verify backup and recovery of security database. Access to the document mentioning the version
and program changes shall be granted to database administrators who are the owners of this
document.

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 10 of PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

If a third party person needs to have access to database, it shall be assigned on a temporary basis
and shall be revoked once work is done. Records of the assigned rights should be maintained.

5.4. Controlling Privileged User Ids

5.4.1. Use of privileged user IDs

User ids with high-level access privileges must only be used in the event of emergency.

Passwords of such user Ids must be available with the HOD in encrypted format. This will
ensure that an authorized employee has access to this password, in the event that the concerned
person cannot be reached during an emergency.

All emergency actions, which bypass normal access control procedures, must be logged and
reported for immediate review by CTO / ISM

5.5. Use of sensitive System Utilities

5.5.1. Restricting use of System Utilities

Access to system utilities must be restricted to authorized personnel in accordance with their
business functions and business needs.

All unnecessary sensitive utilities must be removed from the system.

The use of all system utilities must be logged and regularly reviewed by IS team.

It must be ensured that normal users do not have access rights to use utilities. Any backend
update to the data using SQL / similar utilities must done only after prior written approval from
IS department.

System utilities should be separated from application software.

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 11 of PO/LOACPO/V01
 Osource India Pvt Ltd Policy for Logical Access Control
Confidential

6. MEASUREMENTS

Not Applicable

7. OBJECTIVE EVIDENCE

 Access Request Form for Employee, for third Party

 Access Control Matrix – User

 Access Control Matrix – Admin

 Access Control Matrix - Application

 List of Inactive User accounts

 Information Systems Responsibility Matrix

 Password Reset Form

 Password Reset List

 Privilege User ID maintenance sheet

 Privilege User ID recording form

 Responsibilities Matrix

 User ID recording form

Prepared By: Reviewed By: Approved By: Version: Effective Date: Last Document Review Date Page: Document Code
ISM CTO Director 1 29th July 2013 1st Jan 2015 Page 12 of PO/LOACPO/V01