Professional Documents
Culture Documents
If you need additional information regarding the roles/ responsibilities of Sponsors for Non-Employees and EBPs, please refer to KB0012158 - Non-
Employee and External Business Partner (EBP) Sponsor Role.
Business Use
Roles
• Requestor
• Approver
• Owner/Administrator
• Reviewer
• ITC application
Administrator
Awareness Make sure, you are aware of different kinds of accounts created under your CC. Ex: Non-Emp, NPA, EBP
CDA Make sure you have proper business justification for the account and CDA signed with the vendor
Timely Reviews Make sure you review them in a timely manner in ITAccess and ITC workflow tool
Timely Removal Whenever the user leaves the company, suspend the account within 24 hrs.
Oversight Always transfer sponsorship whenever you or the person you are a sponsor to change the current role.
ITC Tracking Ensure that all the accesses for the non-personal accounts to local applications are tracked in ITC workflow tool and are
revoked within 30 days of the person leaving
Password Change Ensure that the NPAs are tracked in ITC workflow tool and passwords to NPAs are changed within 24 hours, if a person who
has access to the account exits the Transfer within 24 hours
Security Plans Consult site CSL and create security plans for NPAs with non-expiring passwords. Security plans must be approved by Plant
(Applicable for NPA sponsors) Manager and reviewed annually Review Annually
Managing Exits
Business Use
Managing Exits
HiR SharePoint
• The approver for access to SharePoint with Highly Restricted information must be a B5 (to be lowered to B4 effective Jan.1st 2022)
• KB0512652 - Terms and Conditions for a Highly Restricted SharePoint Site and FAQ
Your Responsibility
• If storing HiR data on SharePoint, you are responsible for:
• Classifying the data appropriately using the Information Security Decision Tree
• Understanding what is classified as Highly Restricted Data - Link to data classification catalog
• Getting Approval from a B5 manager for storage of highly restricted data.
Note - If you have any doubts reach out to your manager or Site CSL or Site ITOT leader for clarification
Business Use
• Link also has reference to dynamic Asset classification catalog webpage. It also has an excel extract of it, always use the latest excel from the
website and not use a local copy
NPA Guideline
Business Use
Non-Personal Account:
An NPA is only set up (can only be approved) if there is no other technical solution. According to company standards,
an NPA should only be a TEMPORARY solution.
• NPA Sponsor requests NPA. Approving Manager varies as per Type of Account. (E.g., Application ID,
Device ID, Shared email ID… etc.…)
• -> Clarification of owner, approver, reviewer.
• -> Clarification of PW expiring / non-expiring.
• -> Completing the security plan if NPA is with Non-Expiring Password- Approved by Plant Manager.
• -> Request to maintain NPA in ITC.
• CSL/ OGC owner creates system / solution in ITC.
• Sponsor Creates NPA in ITAccess according to alignment/ approval.
• Registration of users in ITC
• Owner is “ADMIN”
• Everyone else who knows PW is “USER”
• Realizing the obligations as an NPA sponsor (keep ITC users up to date!)
Useful Resources
Appendix
Business Use
Information Asset
classification
1. Any folder or data storing online (sharepoint, onedrive, mail etc.,) should
be classified as business use or HiR or secret data. All HiR and secret
data/folders needs to follow standards Ex: Personal medical data, salary
records etc.,
•click here to check what folders comes under HiR/secret ?
•click here to check what data/folders you can store where?
2. If any of data stored in share point, needs to aligned with B5 through a mail
- More details and format