Scribd
Upload
797 views4 pages

Identity & Access Management Policy

This policy defines access control measures for all company systems and applications to protect information. It covers identification and authentication requirements such as unique user IDs and strong passwords. It also addresses authorization, ensuring users only have access to necessary data as determined by data owners through access request forms. The policy aims to follow principles of least privilege and separation of duties.

Uploaded by

Hani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • Access control measures,
  • User account management,
  • Information security,
  • Principle of least privilege,
  • Principle of separation of dut…,
  • Identification process,
  • Unique identifiers,
  • Authentication methods,
  • Encrypted authentication,
  • Password management
797 views4 pages

Identity & Access Management Policy

This policy defines access control measures for all company systems and applications to protect information. It covers identification and authentication requirements such as unique user IDs and strong passwords. It also addresses authorization, ensuring users only have access to necessary data as determined by data owners through access request forms. The policy aims to follow principles of least privilege and separation of duties.

Uploaded by

Hani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Topics covered

  • Access control measures,
  • User account management,
  • Information security,
  • Principle of least privilege,
  • Principle of separation of dut…,
  • Identification process,
  • Unique identifiers,
  • Authentication methods,
  • Encrypted authentication,
  • Password management

Identity and Access Management Policy

Purpose
The purpose of this policy is to define required access control measures to all Company
systems and applications to protect the privacy, security, and confidentiality of all
information technology resources.

Scope
This policy applies to those responsible for the management of user accounts or access
to shared information or network devices. Such information can be held within a
database, application or shared file space. This policy covers departmental accounts as
well as those managed centrally.

Definitions Access
The ability to use, modify or manipulate an information resource or to gain entry to a
physical area or location. Access Control—The process of granting or denying specific
requests for obtaining and using information. The purpose of access controls is to
prevent unauthorized access to IT systems. Availability—Protection of IT systems and
data to ensure timely and reliable access to and use of information to authorized users.
Confidentiality—Protection of sensitive information so that it is not disclosed to
unauthorized individuals, entities or processes. Principle of Least Privilege—Access
privileges for any user should be limited to resources absolutely essential for completion
of assigned duties or functions, and nothing more. Principle of Separation of Duties—
Whenever practical, no one person should be responsible for completing or controlling a
task, or set of tasks, from beginning to end when it involves the potential for fraud,
abuse, or other harm.

Identification
Identification is the process of assigning an identifier to every individual or system to
enable decisions about the levels of access that should be given. Identifiers must contain
the following:

1
• Uniqueness—Each identifier (e.g., user ID or Company M Number) is unique; that is,
each identifier is associated with a single person or other entity
• One Identifier per Individual—An individual may have no more than one Company
identification number
• Non-Reassignment—Once an identifier is assigned to a particular person it is always
associated with that person. It is never subsequently reassigned to identify another
person or entity.

Authentication
The authentication process determines whether someone or something is, in fact, who
or what it is declared to be. Authentication validates the identity of the person.
Authentication methods involve presenting both a public identifier (such as a user name
or identification number) and private authentication information, such as a Personal
Identification Number (PIN) or password. All systems and applications must use
encrypted authentication mechanisms and abide by the following:
• Authentication credentials will not be coded into programs or queries unless they are
encrypted, and only when no other reasonable option exits.
• Unique initial passwords must be provided through a secure and confidential manner
and initial passwords must be changed upon first logon
• Passwords must not be stored in clear text or in any easily reversible form.
• Vendor-supplied default and/or blank passwords shall be immediately identified and
reset upon installation of the affected application, device, or operating system. To ensure
that passwords are of adequate strength, passwords for users, systems, applications, and
devices must meet, to the degree technically feasible, the following Information Security
requirements:

2
All privileged accounts (root, super user, and administrator passwords for servers,
databases, infrastructure devices and other systems) must adhere to the requirements
listed above and where possible and appropriate:
• Support authentication of individual users, not groups o In situations where group
accounts for administrative purposes and shared passwords for those accounts is
required, the password must be changed every ninety days and immediately upon any
personnel change within the group.
• Configure devices with separate accounts for privileged and unprivileged access
• Authenticate users with an unprivileged account rather than a privileged account.
Please see the Company’s Password Standards for reference.

Authorization
Authorization is the process used to grant permissions to authenticated users.
Authorization grants the user, through technology or process, the right to use the
information assets and determines what type of access is allowed (read-only, create,
delete, and/or modify). The system or application should determine if the user has
permission to perform the requested operation. Users are not permitted to access
sensitive data unless the Data Owner has given written permission through established

3
business processes. Data Owners are individually responsible for establishing data access
procedures that must include, at a minimum, the following:
• Access request forms must be used to request, change, or delete existing access
privileges to Company systems that contain sensitive information.
• To maintain the requirements of minimum necessary and least privilege, when a user
transfers, all accounts should first be disabled, privileges removed, then accounts
reenabled and privileges added that are required in the user’s new role.
• For new accounts and changes to existing accounts, portions of the form must be
completed and authorized by the: o Person who is requesting access to the system o
User’s supervisor and/or department head (or designated representative) o Data Owner
• For account deletions, report separations in a timely manner when workforce
members are reassigned, promoted, or separated. For Termination with cause,
deactivation must occur immediately.
• Periodic review of user privileges to ensure access is commensurate with user’s
current
responsibilities, as well as modification, removal or inactivation of accounts when access
is no longer required. It is the manager’s responsibility to ensure that all users with
access to sensitive data attend proper training as well as read and acknowledge the
Company Confidentiality Agreement. It is also the manager’s responsibility to follow the
Company ’s employment process as defined by Human Resources to ensure compliance
with various laws and regulations.

Segregation of Duties
Access privileges granted to each individual user will adhere to the principles of
separation of duties. Technical or administrative users, such as programmers, system
administrators, database administrators, security administrators of systems and
applications must have an additional, separate end-user account to access the system as
an end-user to conduct their personal business.
Compliance
System owners must have documented procedures for access control and must be able
to produce the documented procedures when required for auditing purposes. Evidence
of account approval, termination, and disabling must be available when required for
auditing purposes.

Common questions

Powered by AI

The authentication process maintains security by validating identities through a combination of public identifiers like usernames and private information such as PINs or passwords . Policies require the use of encrypted authentication mechanisms, initial password changes upon first login, and reset of vendor-supplied default or blank passwords immediately upon installation . Additionally, privileged accounts must adhere to these standards, with shared passwords changed every ninety days and upon personnel changes . These measures ensure secure management and use of user credentials.

The IAM policy ensures compliance by requiring system owners to maintain documented procedures for access control and make them available for auditing purposes . Evidence of account approval, termination, and disabling must also be available when required for audits . This documentation enables audits to verify that access is appropriately managed, providing transparency and accountability for the organization's information security practices.

Procedures for managing account deletions require reporting separations promptly, while immediate deactivation is mandated for terminations with cause . These procedures are important to prevent unauthorized access by former employees and to protect sensitive information from being accessed by individuals who no longer have legitimate reasons or responsibilities to access those systems . This timely management of account deletions helps maintain the integrity and security of the systems.

The main principles driving the Identity and Access Management policy include access control, confidentiality, principle of least privilege, and separation of duties. Access control is essential to prevent unauthorized access to IT systems . Confidentiality protects sensitive information from being disclosed to unauthorized individuals . The principle of least privilege ensures users have access only to the resources they need to perform their duties, reducing the risk of misuse . Separation of duties involves assigning responsibilities to different individuals to prevent fraud or abuse . These principles collectively uphold information security by ensuring that only authorized individuals can access necessary data and systems, reducing the likelihood of breaches.

Data owners are responsible for establishing data access procedures, including overseeing access requests and ensuring only necessary access is provided . They must authorize access changes on request forms along with the requesting user and their supervisor . Data owners play a crucial role in maintaining the principle of least privilege and ensuring compliance with corporate access policies, thereby protecting sensitive information from unauthorized access and misuse.

The IAM policy requires privileged accounts, such as root or superuser accounts, to support individual user authentication where possible and to use separate accounts for privileged and unprivileged access . Shared passwords for group administrative purposes must be changed every ninety days and after any personnel changes . These measures are necessary to prevent unauthorized access, limit potential damage from credential theft, and ensure accountability by logging and identifying specific users who access privileged functions.

Having an encrypted authentication mechanism is important because it protects authentication credentials from interception or unauthorized access during communication, thus maintaining the confidentiality and integrity of the login process . This is crucial in preventing attacks such as man-in-the-middle where an attacker could potentially intercept unencrypted credentials and gain unauthorized access to systems and sensitive data.

The IAM policy ensures the principle of least privilege during role changes or transfers by requiring all accounts to be disabled and privileges removed initially, then re-enabled with only the necessary privileges for the new role . Access request forms must be used to manage these changes and must be authorized by the requester, their supervisor, and the data owner . This prevents former access rights from carrying over unnecessarily, aligning access privileges strictly with current job requirements.

The separation of duties in the IAM policy is based on the rationale of preventing fraud, abuse, and other harms by ensuring that no single person has control over all aspects of any critical task . By dividing tasks among different individuals, it reduces the risk of unauthorized actions and enhances the detection of errors or malfeasance. It acts as a safeguard against conflicts of interest and offers a system of checks and balances within the organization.

The IAM policy defines identification as the assignment of a unique identifier, such as a user ID, to each individual for access level decisions . Authentication involves validating the declared identity through both a public identifier and private information like passwords . Systems must use secure, encrypted mechanisms for authentication, including password changes on first login and resetting vendor defaults . These processes safeguard against unauthorized access by ensuring only legitimate users can authenticate.

You might also like