Access Control Procedure

H i sto r y   Log

Ve rs i on

Da t e

Author
1.0
12 th  December 2019
Information Dynamics
1.1
08 th  December 2020
Saravanan 
















Management Procedure      
Internal 2 4
1. Scope
  The scope will be applicable to all activities under the scope statement of Information Dynamics.
ISO 27001:2013 domain reference: A.9 - Control

ISO 27001:2013 Reference

A.9.2.1

User registration and de-registration
A.9.2.2
User provisioning

A.9.2.3

Management privilege access rights
A.9.2.5
Review of user access rights

A.9.2.6

Removal or adjustment of access rights
















2. Inputs
Service Request Management
User Access Request
User Access modification
Revocation 
3. Definitions
Access Requestor   the access request.
4. Access Procedure
New User Registration Process
Logical Access

HR shall imitate an email to the IT department when the employee joins the firm. The IT  department shall provide the minimum access needed the employee inclusive of  desktop.
Physical Access

shall initiate a request to the admin department an employee joins the firm. Based on  this request the admin department configures the employee’s access company
Access Management Procedure      
Internal 3 of 4
User access and privilege access
is granted by the IT to respective systems. the approval for the same  should be present from department head and the operations head. 
This process is also to privilege users for:
Servers
Network Devices
Databases
Applications
Other confidential information
Change of access and removal of access
Any   user   transferring   between   access   shall   be   treated   as   a   case   of   transfers.   In   case   of  transfers   the   HR   shall   update   the   IT   respective   team   to   revoke   access   of   the   employee   to  the   old   systems.   Any   new   system   access   request   shall   have   to   go   through   a   formal   request.
In   case   of   leavers,   the   HR   shall   notify   the   IT   team   regarding   the   last   day   of   working   of  the   employee.   The   respective   IT   section   shall   accordingly   revoke   all   access   to   the  systems   and   information   sites.   This   shall   also   be   applicable   to   all   applications   which   are  not integrated.
Review of Access
Access Management Procedure      
Internal 4 of 4
access shall be provided only after formal approvals. All user and privilege access  shall be reviewed atleast once in 6 months. These access shall be reviewed by the Operations  Head
If any discrepancy found in access reviews, the access be removed on an immediate  basis. 
5. Outputs
Users Access Granting
User Access reviews
6. Associated documentation
Access Control Matrix
7. KPIs

KPIs

Frequency

Objective

Source

Target
Access review
Half  Yearly
of access shall provide  an understanding of process  effectiveness. Also helps  understand if there are  access being  provided
Verification  of current  access in  systems  against  approved  tickets/  emails. 
0% deviation.  Access should  match the  approvals  granted.