Business Use

InfoSec Compliance Refresher Training

For Managers and Sponsors of Employees, Non-employees, Non-Personal

Accounts and HiR SharePoint

05/08/2022 – Brinu Augustine

 Business Use

1. Overview Access Management

2. Types of User accounts
3. Roles and responsibility of Application Owners, Approvers,
Reviewers and ITC Workflow tool Admin

Agenda 4. Roles and responsibility of IT account Sponsors

5. Managing Exits
6. HiR SharePoint Guideline
7. Information Asset Data Classification Guideline
8. NPA Guideline
 Business Use

Overview Access Management

Need for Access Management

We must protect our electronic and physical business information from improper or unauthorized disclosure. Ensuring the right people have access to the
right things, and that they are who they say they are.
Tool for managing access records
ITC Workflow tool - https://itc-tool.pg.com/NewRequest?siteId=158
Tool that we use for recording access request, access reviews, access change request, and access removal request for all applications that do not have a
centralized access management system.
Access Categories
1. Local application access - For all local site applications
2. NPA access - For all NPA accounts || Instant password changes(48hours) in case of employee exit or role change
3. HiR Access – For all Highly Restricted SharePoint
 Business Use

Types of user-accounts in ItAccess

Types of User Accounts

1. Employee:  Only a P&G Employee can have this type of account.  If an Employee leaves the employment this account must be cancelled.  P&G
employees are created by SAP/HR. Once they have been created in SAP, employees can be updated and provisioned services through itAccess.
Contact your HR resource for P&G employee creation.
2. Non-Employee / Internal or Org-Specific Role:
Individual users who are not employees including strategic partners, joint ventures, contractors or temps who need access to P&G services such as
Intranet, Email or other P&G applications. Non-employees may be remote or located at a P&G site. Do not use this account type for shared accounts. 
3. Non-Employee / External: Individual users who are non-P&G users, not located at a P&G site, who needs access to Restricted & Highly Restricted
data, extranet services such as Customer & Supplier Portal. A unique and functional external email is required. 
4. Non-Personal - Special or Test ID’s: Any account that is not used as an individual’s own account (i.e., shared email, application ID); they are referred
to as Special ID or Test ID accounts.
5. EBP:  External Business Partners (EBP) are third party personnel not located at a P&G site, who need access to extranet services (e.g. Customer
Portal or Supplier Portal) and who may need limited Intranet access (typically to specific applications). No services are provided to these users.

If you need additional information regarding the roles/ responsibilities of Sponsors for Non-Employees and EBPs, please refer to KB0012158 - Non-
Employee and External Business Partner (EBP) Sponsor Role.
 Business Use

Roles & Responsibilities

 Business Use

Roles and responsibility of Application Owners, NPA owners, Approvers, Reviewers

and ITC Workflow tool Admin

Roles
• Requestor
• Approver
• Owner/Administrator
• Reviewer
• ITC application
Administrator

Link to ITC Workfl

ow tool – Site acc
ess management t 30 days 14 days
racking tool
Important Note -. Never approve or review your own access requests. If you are the owner of an
application in ITC workflow tool, let your supervisor approve or review it
 Business Use

Roles and responsibility of IT account Sponsors

Awareness Make sure, you are aware of different kinds of accounts created under your CC. Ex: Non-Emp, NPA, EBP

CDA Make sure you have proper business justification for the account and CDA signed with the vendor

Timely Reviews Make sure you review them in a timely manner in ITAccess and ITC workflow tool

Timely Removal Whenever the user leaves the company, suspend the account within 24 hrs.

Oversight Always transfer sponsorship whenever you or the person you are a sponsor to change the current role.

ITC Tracking Ensure that all the accesses for the non-personal accounts to local applications are tracked in ITC workflow tool and are
revoked within 30 days of the person leaving
Password Change Ensure that the NPAs are tracked in ITC workflow tool and passwords to NPAs are changed within 24 hours, if a person who
has access to the account exits the Transfer within 24 hours
Security Plans Consult site CSL and create security plans for NPAs with non-expiring passwords. Security plans must be approved by Plant
(Applicable for NPA sponsors) Manager and reviewed annually Review Annually

Site Direction – To have IT account sponsors who are B1+ managers.

 Business Use

Managing Exits
 Business Use

Managing Exits

Who should know this?

1. Every Manager of a P&G Employee
2. Every Sponsor of a Non-P&G Employee/Contractor
What should you know?
3. The account suspension must be completed no later than 24 hours from the personnel’s
last day
4. The access removals must be completed no later than 30 days from the employee’s last
day
 Business Use

Managing Exits of P&G Employees

What should you do?

In Case of a P&G employee exit
1. Manager informs HR of the
separation date as soon as
employee requests exit
2. HR raises MOI request in workday
> ITAccess immediately suspends
employees P&G account on the
date of exit
3. HR informs ITC coordinator for
revoking access of applications Within 24 hours Within 30 days
not synchronized with P&G
accounts and managed through
ITC workflow
 Business Use

Managing Exits of Non-P&G Employees

What should you do?

In Case of a Non-P&G employee exit
1. For applications not synchronized with P&G accounts and managed through ITC workflow

Within 24 hours Within 24 hours Within 30 days

 Business Use

HiR SharePoint Guideline

 Business Use

OPL – HiR SharePoint Online Sites

O365 Storage and Collaboration tools

• If you have HiR data, sensitive PII data (medical records, BCP documents with crisis contact info, etc.) on SharePoint/Shared Drive/Teams,
make sure that it is compliant and in a storage that is authorized for HiR.
• KB0011790 – will give you a fair idea about what O365 tools can be used for storage and collaboration

HiR SharePoint
• The approver for access to SharePoint with Highly Restricted information must be a B5 (to be lowered to B4 effective Jan.1st 2022)
• KB0512652 - Terms and Conditions for a Highly Restricted SharePoint Site and FAQ

Your Responsibility
• If storing HiR data on SharePoint, you are responsible for:
• Classifying the data appropriately using the Information Security Decision Tree
• Understanding what is classified as Highly Restricted Data - Link to data classification catalog
• Getting Approval from a B5 manager for storage of highly restricted data.

Note - If you have any doubts reach out to your manager or Site CSL or Site ITOT leader for clarification
 Business Use

Information Asset Data Classification

Guideline
Business Use
 Business Use

Information Security Asset Classification Decision Tree

• Determine the information asset classification for a document, dataset, etc. into Secret, HiR, Business Use, Public using
the decision-making flow chart.

• Link also has reference to dynamic Asset classification catalog webpage. It also has an excel extract of it, always use the latest excel from the
website and not use a local copy

Link to data asset classification catalog

 Business Use

O365 Access Review

Information Request

• Which type of data is

owned by you?
• How to find which share
points are owned by you?
• Link to O365 Access
Review Information
Request
 Business Use

NPA Guideline
 Business Use

Non-Personal Account:
An NPA is only set up (can only be approved) if there is no other technical solution. According to company standards,
an NPA should only be a TEMPORARY solution.

• NPA Sponsor requests NPA. Approving Manager varies as per Type of Account. (E.g., Application ID,
Device ID, Shared email ID… etc.…)
• -> Clarification of owner, approver, reviewer.
• -> Clarification of PW expiring / non-expiring.
• -> Completing the security plan if NPA is with Non-Expiring Password- Approved by Plant Manager.
• -> Request to maintain NPA in ITC.
• CSL/ OGC owner creates system / solution in ITC.
• Sponsor Creates NPA in ITAccess according to alignment/ approval.
• Registration of users in ITC
• Owner is “ADMIN”
• Everyone else who knows PW is “USER”
• Realizing the obligations as an NPA sponsor (keep ITC users up to date!)

While creating a NPA the business need must contain a clear

description
• Why the NPA is needed for ?
• Is there any other solution than an NPA ?
• Whether the NPA should get an expiring PW or a non-expiring PW ?
 Business Use

NPA training decks

 Business Use

Useful Resources

• Data Classification on-line training - MyLearning 

• Lavatory Poster - Data Classification - It Rules.
• Approved Collaboration/Storage Tools - Infographic. 
• Storage and Collaboration Tools - Knowledge Article 
• Information Asset Classification Catalog - click here 
• Non-Employee and External Business Partner (EBP) Sponsor Role – Knowledge Article
• Account and Privileges Management Standard.pdf – Policy document
 Business Use

Appendix
 Business Use

Information Asset
classification
1. Any folder or data storing online (sharepoint, onedrive, mail etc.,) should
be classified as business use or HiR or secret data. All HiR and secret
data/folders needs to follow standards Ex: Personal medical data, salary
records etc.,
•click here to check what folders comes under HiR/secret ?
•click here to check what data/folders you can store where?

2. If any of data stored in share point, needs to aligned with B5 through a mail
- More details and format

3. Semi-annually access review has to be done and recorded.