user access management procedure - الصفحة...
TRANSCRIPT
VERSION 1.1
INTERNAL USE ONLY
USER ACCESS
MANAGEMENT PROCEDURE
KING SAUD UNIVERSITY
DEANSHIP OF E-TRANSACTIONS & COMMUNICATION
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 2 of 13 Internal Use Only
REVISION HISTORY
Sr. No. Date of
Revision Ver. Validity Description of change Reviewed By Approved By
1 18/03/12 1.0 One Year Initialization Nasser A. Ammar Dr. Mohammed A Alnuem
2 02/03/13 1.1 One Year Department Ownership
Changed Mr. Toqeer Ahmad
Mr. Mohammed A.
Alsarkhi
3 05/03/13 1.1 One Year No Change Mr. Toqeer Ahmad Mr. Mohammed A.
Alsarkhi
4
5
6
7
8
9
10
DISTRIBUTION LIST
Sr. No Version Number Name Designation Department
1
2
3
PREPARED BY REVIEWED BY APPROVED BY
ALTAMASH SAYED NASSER A. AMMAR DR. MOHAMMED A ALNUEM
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 3 of 13 Internal Use Only
TABLE OF CONTENTS
1. PURPOSE .................................................................................................. 4
2. SCOPE ...................................................................................................... 4
3. RELATED POLICIES AND PROCEDURES ...................................................... 4
4. PROCEDURE ENFORCEMENT / COMPLIANCE ............................................ 4
5. DOCUMENT OWNER ................................................................................ 4
6. ROLES & RESPONSIBILITY ......................................................................... 5
7. INVOCATION ............................................................................................ 6
8. PROCESS FLOWCHART .............................................................................. 7
9. PROCEDURE DETAILS ................................................................................ 8
10. OUTPUTS ............................................................................................. 11
11. RECORDS ............................................................................................. 11
12. ANNEXURE .......................................................................................... 12
12.1 USER ACCESS FORM ......................................................................................... 12
12.2 USER ACCESS RECORD ..................................................................................... 13
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 4 of 13 Internal Use Only
1. PURPOSE In order to control and secure the creation, modification and deletion of King Saud University -
eTransactions & Communication Deanship's users’ logical and/or physical access, a formal procedure
for User Access Management must be enforced in entire King Saud University - eTransactions &
Communication Deanship..
2. SCOPE This procedure applies to King Saud University (KSU) - eTransactions & Communication (ETC)
Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process
control systems, that are in possession of or using information and/or facilities owned by KSU-ETC
Deanship.
This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC
Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of
information assets owned by ETC Deanship.
3. RELATED POLICIES AND PROCEDURES Access Control Policy
4. PROCEDURE ENFORCEMENT / COMPLIANCE Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous
compliance monitoring within their departments. Compliance with the statements of this procedure
is a matter of periodic review by Risk & Information Security Department and any violation of the
procedure will result in corrective action by the ISMS Steering Committee.
Disciplinary action will be depending on the severity of the violation which will be determined by the
investigations. Actions such as termination or others as deemed appropriate by ETC Management
and Human Resources Department will be taken.
5. DOCUMENT OWNER ISMS Manager
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 5 of 13 Internal Use Only
6. ROLES & RESPONSIBILITY Each role involved in this procedure shall have main responsibilities as follows:
1. Users / Department Manager
Update ETC Deanship Management with employee’s status.
Process Logical / Physical Access requests for Employees / Users.
Maintain a copy of the signed User Access Form
2. Information Security Officer
Review and Evaluate Logical and Physical Access requests from Business and Security aspect,
provide comments and forward the request to ISMS Manager for Approval.
3. ISMS Manager
Evaluate and approve User Logical / Physical Access Requests.
Maintains a record of user registration, resignation, role change and termination Maintains
a record of user registration, resignation, role change and termination.
4. ETC Deanship Department
Implement user access permission.
Maintain an accurate user registration/ modification/ deletion record.
Review on annual basis user access privileges.
Ensure the followed processes by the users reflect the “User Access Management Procedure”
of KSU ETC Deanship.
Grant and revoke access to network and system resources.
Grant and revoke access to information processing facilities.
5. Building Administration / IT Datacenter
Verify user access permission and maintain an accurate record for KSU premises / secure
areas.
Issue ETC Deanship Department premises / secure areas access permission (e.g. paper,
badges).
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 6 of 13 Internal Use Only
7. INVOCATION This procedure shall be followed whenever there is:
User Account Creation This procedure should be initiated whenever there is a need to register and grant access privilege for new users of the organization information resources (e.g. internet, printers and LAN).
User Privileges Modification Whenever there is a change and update of existing user privileges, this procedure must be followed.
User Termination To revoke access privileges of resigned / terminated users, this procedure must be started.
Physical / Premises Access This procedure shall be invoked whenever there is a need to grant physical access permission to organization premises and restricted area.
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 7 of 13 Internal Use Only
8. PROCESS FLOWCHART
ISM
S M
an
ag
er
User Access Management Procedure
Pro
ce
ss
ET
C D
ea
nsh
ip
De
pa
rtm
en
t
Use
r /
De
pa
rtm
en
t
Ma
na
ge
r
Start / End
Log/Record
Step 1
Form1
Decision
Start and end of the
procedure
Storage to
file
Document /
Form
Another related
procedure
An activity /
step
Follow to step
no.
Input or output
infomation
A decision in a
procedure
Reference to another
procedure
Input/
Output
Approval
START
END
No
Yes
User Access Form
Access Request
Step 1
Forward Request
(Logical / Physical)
Step 2
Implementaion
Step 7
Update Account
Management Log
Step 8
Implementation
Step 5
Update Access
Record
Step 6
Evaluate Business
& Security needs
Step 3
Type
Physical Access
Inform Requester
Step 4
Logical Access
4
Bu
ildin
g A
dm
inis
tra
tio
n / I
T
Da
tace
nte
r
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 8 of 13 Internal Use Only
9. PROCEDURE DETAILS This section reflects the broad activities/steps to be carried out in the procedure.
STEP 1 : ACCESS REQUEST
Responsibility User / Department Manager
Inputs
User Account Creation
User Privileges Modification
User Termination / Account Removal
Physical / Premises Access
Activities
The procedure will be initiated by the Department Manager / User, who will fill-up the
User Access Form.
Proceed to step 2.
Outputs Logical / Physical User Access Form.
STEP 2 : FORWARD REQUEST
Responsibility User / Department Manager
Inputs Logical/Physical User Access Form.
Activities Once the Access Form has been filled in, the Department Manager / User will sign and
forward the form to ISMS Manager for evaluate business and security needs.
Outputs Logical / Physical User Access Form
STEP 3 : REVIEW AND APPROVAL
Responsibility ISMS Manager
Inputs Logical/Physical User Access Form (Business and Security needs evaluation)
Activities
Review and evaluate the request based on ETC Deanship's Business and Technical
Requirements.
If the request is approved, the request will be forwarded to:
Logical Access: to IT Sections for Implementation
Physical Access: to Building Administration / IT Datacenter for Implementation
If the request is rejected, go to step 4.
Outputs Logical / Physical User Access Approval / Rejection
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 9 of 13 Internal Use Only
STEP 4 : INFORM REQUESTER
Responsibility ISMS Manager
Inputs Rejected User Access Request.
Access Implementation Status
Activities
IT Infrastructure Manager will inform the requester with the result of the access form and
if the request is accepted the process will move on, and the Requester will be notified
upon the completion of request
End of procedure.
Outputs None.
STEP 5 : IMPLEMENTATION
Responsibility ETC Deanship Department
Inputs Approved Logical User Access form.
Activities
Necessary actions are followed to implement User Logical Access Request.
The User Logical Access Request form is updated with the technical actions taken.
Proceed to step 6.
Outputs Implemented Logical Access Request
STEP 6 : UPDATE ACCESS RECORD
Responsibility ETC Deanship Department
Inputs Implemented Logical Access Request
Activities
Respective ETC Deanship department updates the account management logs / Access
Records related to the access actions taken.
Go to step 5.
Outputs Updated Access Records
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 10 of 13 Internal Use Only
STEP 7 : IMPLEMENTATION
Responsibility Building Administration / IT Datacenter
Inputs Approved Physical User Access Form.
Activities
Necessary actions are followed to implement User Physical Access Request.
The User Physical Access Request Form is updated with the actions taken.
Go to Step 8.
Outputs Implemented Physical User Access Request
STEP 8 : UPDATE ACCOUNT MANAGEMENT LOGS
Responsibility Building Administration / IT Datacenter
Inputs Implemented Physical User Access Request
Activities Physical User Access implementation logs will be updated with related access actions.
Go to step 5.
Outputs Updated Account Management Log.
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 11 of 13 Internal Use Only
10. OUTPUTS The following activity will be an output of the process.
User Access Forms.
11. RECORDS The following are the list of all applicable records that are the evidence of implementation of the
Process.
The records are maintained in hard and soft copy.
User Access Record.
USER ACCESS MANAGEMENT PROCEDURE
ISMS/A.9/UAM/PRO/V1.1 Page 12 of 13 Internal Use Only
12. ANNEXURE
12.1 USER ACCESS FORM
USER ACCESS FORM
DISABLE SUSPEND MODIFY ISSUE
EMPLOYEE ID:
EMPLOYEE NAME:
TITLE:
DEPARTMENT:
SECTION:
Logical Physical TYPE OF ACCESS:
Date Finish: Date Start: DURATION
Time Finish: Time Start::
DEPARTMENT MANAGER
NAME
COMMENTS
SIGNATURE
DATE
ISMS MANAGER APPROVAL
NAME
Yes No APPROVAL
COMMENTS
SIGNATURE
DATE
IMPLEMENTATION DETAILS
EMPLOYEE ID
CREATION DATE
ACCESS DETAILS
CREATED BY
SIGNATURE