Objective

This document forms DIGISEVA’s User Access Control & Account Management Policy in support of the IT Security Policy. Compliance with this Policy will enable consistent controls to be applied throughout the organization minimizing exposure to security breach, whilst allowing systems administration and technical support staff to conduct their activities within the framework of the company policies.

Scope

This policy applies to all user account and all other computing accounts provided to DIGISEVA employees, Merchants, contractors, trainees, etc. This policy is not limited to within DIGISEVA premises, but applies to any access, remote or local, to any computing resources administered by DIGISEVA.

Policy Description

• All user accounts must be assigned passwords which meet the standards and all users are required to change their password at initial logon where systems do not force this.
• Depending on the work users are provided access to specific parts of the system. Access is only provided in the working hours. Which will be integrated with user Sign in and Sign out.
• Users must not attempt to access systems, applications or data which their user account does not naturally provide access to.
• For the dev environment strong password policies and policy enforcement tools like active directory.
• All servers are audited on quarterly basis.

Password Change at Initial Log-on

Where possible, systems are to be configured to force users to change their password at their first log on in accordance with the Password Policy.

Suspension of User Accounts and Password Resets 

The suspension of a user account can only be requested by the respective Reporting Officer with approval from HOD, HR Head of Department, Information Security Officer. Further, all users and privileged accounts are to be locked or disabled after 90 days or more of inactivity. All password resets are to be performed in accordance with the Password Usage and Management Policy. Non-permanent personnel (e.g., contractors, consultants) are not granted for account access and VPN/WIFI access.

Account Privileges

Technical Support department is to restrict and control the allocation and use of system privileges on each computer platform. In particular, access to operating systems and applications is to be generally restricted to designated administrators and support staff who are associated with the management and maintenance of the respective platforms. Users are to be given specific account profiles and privileges as defined and authorized by their respective reporting officer or management in accordance with their particular function or role. When creating user-accounts, system administrators must take care to ensure that users are only granted access to systems and resources that have been approved and which are necessary for business purpose. User privileges are to be reviewed on a regular and frequent basis and withdrawn where the circumstances of those who have been granted privileges no longer warrant such access.

Account Management

User-accounts are to remain active during the employment of the user at DIGISEVA

Separation Policy is followed by Technical Support & Human Resource when members of the staff leave employment. Administrators delete/disable user-accounts when the account holder has left organization employment or any disciplinary action has been taken by HR department.

Use of Accounts

User identification and authentication

All system users should have a unique identifier (“user-ID”) for their personal use only. 

This includes:

• Shared user-IDs are employed only in exceptional circumstances, where there is a clear justification;
• Generic user-IDs (e.g., “guest”) are employed only where no individual-user-level audit is required and limited access privileges otherwise justify the practice.
• Guest can only access network which is logical and physically separate from the secured environment.
• Strength of the identification and authentication methods (e.g., use of multiple authentication factors) are suitable to the sensitivity of the information being accessed;  and
• Regular user activities are not performed from privileged accounts.

Passwords

All user accounts must be assigned passwords which meet the standards in the Password Policy. In accordance with the Password Policy all users are required to change their initial log-on password the first time that they log onto a system where the system itself does not automatically enforce this requirement.

Access Parameters

In accordance with the Acceptable Use Policy under no circumstances are users to attempt to access systems, applications or data which their user account does not naturally provide access to and for which they have not been granted specific permission.

Session time-out

Interactive sessions “lock out” the user after a defined period of inactivity (like 15 minute). Resumption of the interactive session require re-authentication.

This includes:

• Time-out periods that reflect risks associated with type of user, setting of use and sensitivity of the applications and data being accessed;

Limitation of connection time and location

Restrictions on connection times to be used for additional security for high-risk applications or remote communications capabilities.  This includes:

• Requiring re-authentication at timed intervals;
• Restricting overall connection duration or connection time period (e.g., normal office hours); and 
• Restricting connection locations (e.g., to IP address ranges).

User authentication for remote connections

Where appropriate and technically feasible, authentication methods should be used to control remote access to the network. All physical and logical access ports are disabled and where possible disconnected from the systems.  Firewalls are to be configured to allow access to/from a specified DEVICE/IP/URL and or PORT.

Information access restriction

Access to information and application system functions should be restricted in accordance with the defined access control policy that is consistent with the overall organizational access policy.  This could include any of the controls in this and other policies.

User Access Rights Violation

User Access rights violations are monitored regularly by the System Admin and Security Committee Member. Access Logs are monitored for this purpose. Automated Emails are generated and sent to designated members. All such violations shall be further discussed in the Security Committee Team Meetings and in the MRM Meetings.

Policy –Third Party Account

Approval for third party account must be provided by the Head of Department from respective domain. The access should be restricted to minimum folders for better manageability.

Policy –Controlling Shared & Other Accounts

When there is a need for collaborative working, shared areas are to be created and accessed through the use of each user’s own user account. However, project accounts may be permitted whereby members of a ‘group’ access the account through the use of a common (shared) user-name and password.

Named custodians are to be appointed to manage temporary accounts where these are used for temporary staff.

Network Privileges

Network connection control  

Capabilities of users to connect to the network should be appropriately restricted, consistent with access control policies and applications requirements.  This includes:

• Filtering by connection type (e.g., messaging, email, file transfer, interactive access, applications access); and
• Additional authentication and access control measures as appropriate.

Network routing control

Routing controls should be implemented to ensure that computer connections and information flows do not breach the access control policies of/for applications on the network.  This includes:

• Positive source and destination address checking; and
• Routing limitations based on the access control policy.

Most network users will have access to the following types of network resources.

• Email – Most users will have full access to their own email. They will not be able to transfer ownership to someone else.
• Segregation in networks: appropriate and technically feasible, groups of users and services should be segregated on networks.  This includes:
  • Separation into logical domains(i.e. Departments/Sections), each protected by a defined security perimeter; and
  • Secure gateways between/among logical domains. 
• A shared group or organizational division’s drive – This is a folder that members of specific groups or divisions in the organization may access. Access may be read or write and may vary by organizational requirements. Following table would be referred for giving access right permission.

• Access to databases – There may be additional databases that may be stored on a shared drive or on some other resource. Most databases will have a standard user level which gives users appropriate permissions to enter data and see report information. However only the database administrators will have full access to all resources on a database. Database administrators will only have full access to the database that they administer.

Admin Privileges

Admin ID for all servers.

Application, Tools and Utility Software Installation

All applications, tools and utility programs are installed and managed by System Admin and no user is allowed to manage them. System Admin receive support requests from users with approvals from their Section Heads for such tasks. System Admin shall maintain a log of all such requests and activities performed.

Enforcement

Any employee found to have violated this policy could also be subject to disciplinary action, up to and including termination of employment.

Policy Review

The policy will continue to be in force unless superseded by a fresh policy. DIGISEVA management reserves the right to amend, abrogate, modify, rescind / reinstate the entire Policy or any part of it at any time.

References

DIGISEVA IT Security Policy 1.0

Responsibility for execution, Functional Impact and Processes affected by the Policy

Technical Support would be responsible for execution and enforcement of the policy and all DIGISEVA processes and employees would be affected by the policy.

Access to the policy

All DIGISEVA employees, Merchants

Glossary

NA