Access Control Procedure

History Log
Version	Date	Author
1.0	12th December 2019	Information Dynamics
1.1	08th December 2020	Saravanan
1.2	08th December 2021	Saravanan
1.3	08th December 2022	Saravanan	Annual Review

Scope

The scope will be applicable to all activities under the scope statement of Information Dynamics.

ISO 27001:2013 domain reference: A.9 - Access Control

ISO 27001:2013 Reference
A.9.2.1	User registration and de-registration
A.9.2.2	User access provisioning
A.9.2.3	Management of privilege access rights
A.9.2.5	Review of user access rights
A.9.2.6	Removal or adjustment of access rights

Inputs
- Service Request Management
- User Access Request
- User Access modification
- User access Revocation
Definitions
- Access Requestor Person initiating the access request.
Access Control Procedure

New User Registration Process

Logical Access
HR shall imitate an email to the IT department when the employee joins the firm. The IT department shall provide the minimum access needed for the employee inclusive provisioning of desktop.

Physical Access
HR shall initiate a request to the admin department when an employee joins the firm. Based on this request the admin department configures the employee’s biometrics access to the company

User access and privilege access
Access is granted by the IT admin to respective systems. However the approval for the same should be present from the department head and the operations head.

This process is applicable also to privilege users for:
- Servers
- Network Devices
- Databases
- Applications
- Other confidential information
  
  Change of access and removal of access
  - Any user transferring between access shall be treated as a case of transfers. In case of transfers the HR shall update the IT respective team to revoke access of the employee to the old systems. Any new system access request shall have to go through a formal request.
  - In case of leavers, the HR shall notify the IT team regarding the last day of working of the employee. The respective IT section shall accordingly revoke all access to the systems and information sites. This shall also be applicable to all applications which are not AD integrated.
Review of Access
All access shall be provided only after formal approvals. All user access and privilege access shall be reviewed atleast once in 6 months. These access shall be reviewed by the Operations Head

If any discrepancy found in the access reviews, the access shall be removed on an immediate basis.
Outputs
- Users Access Granting
- User Access reviews
Associated documentation
- Access Control Matrix
KPIs

KPIs

Frequency

Objective

Source

Target

Access review

Half Yearly

Review of access shall provide an understanding of process effectiveness. Also helps understand if there are unauthorized access being provided

Verification of current access in systems against approved tickets/

emails.

0% deviation. Access should match the approvals granted.

Access Control Procedure

Scope

Inputs

Definitions

Access Requestor Person initiating the access request.

Access Control Procedure

New User Registration Process

User access and privilege access

This process is applicable also to privilege users for:

Change of access and removal of access

Review of Access

Outputs

Associated documentation

KPIs