VERSION 1.1

INTERNAL USE ONLY

USER ACCESS

MANAGEMENT PROCEDURE

KING SAUD UNIVERSITY

DEANSHIP OF E-TRANSACTIONS & COMMUNICATION

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 2 of 13 Internal Use Only

REVISION HISTORY

Sr. No. Date of

Revision Ver. Validity Description of change Reviewed By Approved By

1 18/03/12 1.0 One Year Initialization Nasser A. Ammar Dr. Mohammed A Alnuem

2 02/03/13 1.1 One Year Department Ownership

Changed Mr. Toqeer Ahmad

Mr. Mohammed A.

Alsarkhi

3 05/03/13 1.1 One Year No Change Mr. Toqeer Ahmad Mr. Mohammed A.

Alsarkhi

4

5

6

7

8

9

10

DISTRIBUTION LIST

Sr. No Version Number Name Designation Department

1

2

3

PREPARED BY REVIEWED BY APPROVED BY

ALTAMASH SAYED NASSER A. AMMAR DR. MOHAMMED A ALNUEM

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 3 of 13 Internal Use Only

TABLE OF CONTENTS

1. PURPOSE .................................................................................................. 4

2. SCOPE ...................................................................................................... 4

3. RELATED POLICIES AND PROCEDURES ...................................................... 4

4. PROCEDURE ENFORCEMENT / COMPLIANCE ............................................ 4

5. DOCUMENT OWNER ................................................................................ 4

6. ROLES & RESPONSIBILITY ......................................................................... 5

7. INVOCATION ............................................................................................ 6

8. PROCESS FLOWCHART .............................................................................. 7

9. PROCEDURE DETAILS ................................................................................ 8

10. OUTPUTS ............................................................................................. 11

11. RECORDS ............................................................................................. 11

12. ANNEXURE .......................................................................................... 12

12.1 USER ACCESS FORM ......................................................................................... 12

12.2 USER ACCESS RECORD ..................................................................................... 13

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 4 of 13 Internal Use Only

1. PURPOSE In order to control and secure the creation, modification and deletion of King Saud University -

eTransactions & Communication Deanship's users’ logical and/or physical access, a formal procedure

for User Access Management must be enforced in entire King Saud University - eTransactions &

Communication Deanship..

2. SCOPE This procedure applies to King Saud University (KSU) - eTransactions & Communication (ETC)

Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process

control systems, that are in possession of or using information and/or facilities owned by KSU-ETC

Deanship.

This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC

Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of

information assets owned by ETC Deanship.

3. RELATED POLICIES AND PROCEDURES Access Control Policy

4. PROCEDURE ENFORCEMENT / COMPLIANCE Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous

compliance monitoring within their departments. Compliance with the statements of this procedure

is a matter of periodic review by Risk & Information Security Department and any violation of the

procedure will result in corrective action by the ISMS Steering Committee.

Disciplinary action will be depending on the severity of the violation which will be determined by the

investigations. Actions such as termination or others as deemed appropriate by ETC Management

and Human Resources Department will be taken.

5. DOCUMENT OWNER ISMS Manager

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 5 of 13 Internal Use Only

6. ROLES & RESPONSIBILITY Each role involved in this procedure shall have main responsibilities as follows:

1. Users / Department Manager

Update ETC Deanship Management with employee’s status.

Process Logical / Physical Access requests for Employees / Users.

Maintain a copy of the signed User Access Form

2. Information Security Officer

Review and Evaluate Logical and Physical Access requests from Business and Security aspect,

provide comments and forward the request to ISMS Manager for Approval.

3. ISMS Manager

Evaluate and approve User Logical / Physical Access Requests.

Maintains a record of user registration, resignation, role change and termination Maintains

a record of user registration, resignation, role change and termination.

4. ETC Deanship Department

Implement user access permission.

Maintain an accurate user registration/ modification/ deletion record.

Review on annual basis user access privileges.

Ensure the followed processes by the users reflect the “User Access Management Procedure”

of KSU ETC Deanship.

Grant and revoke access to network and system resources.

Grant and revoke access to information processing facilities.

5. Building Administration / IT Datacenter

Verify user access permission and maintain an accurate record for KSU premises / secure

areas.

Issue ETC Deanship Department premises / secure areas access permission (e.g. paper,

badges).

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 6 of 13 Internal Use Only

7. INVOCATION This procedure shall be followed whenever there is:

User Account Creation This procedure should be initiated whenever there is a need to register and grant access privilege for new users of the organization information resources (e.g. internet, printers and LAN).

User Privileges Modification Whenever there is a change and update of existing user privileges, this procedure must be followed.

User Termination To revoke access privileges of resigned / terminated users, this procedure must be started.

Physical / Premises Access This procedure shall be invoked whenever there is a need to grant physical access permission to organization premises and restricted area.

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 7 of 13 Internal Use Only

8. PROCESS FLOWCHART

ISM

S M

an

ag

er

User Access Management Procedure

Pro

ce

ss

ET

C D

ea

nsh

ip

De

pa

rtm

en

t

Use

r /

De

pa

rtm

en

t

Ma

na

ge

r

Start / End

Log/Record

Step 1

Form1

Decision

Start and end of the

procedure

Storage to

file

Document /

Form

Another related

procedure

An activity /

step

Follow to step

no.

Input or output

infomation

A decision in a

procedure

Reference to another

procedure

Input/

Output

Approval

START

END

No

Yes

User Access Form

Access Request

Step 1

Forward Request

(Logical / Physical)

Step 2

Implementaion

Step 7

Update Account

Management Log

Step 8

Implementation

Step 5

Update Access

Record

Step 6

Evaluate Business

& Security needs

Step 3

Type

Physical Access

Inform Requester

Step 4

Logical Access

4

Bu

ildin

g A

dm

inis

tra

tio

n / I

T

Da

tace

nte

r

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 8 of 13 Internal Use Only

9. PROCEDURE DETAILS This section reflects the broad activities/steps to be carried out in the procedure.

STEP 1 : ACCESS REQUEST

Responsibility User / Department Manager

Inputs

User Account Creation

User Privileges Modification

User Termination / Account Removal

Physical / Premises Access

Activities

The procedure will be initiated by the Department Manager / User, who will fill-up the

User Access Form.

Proceed to step 2.

Outputs Logical / Physical User Access Form.

STEP 2 : FORWARD REQUEST

Responsibility User / Department Manager

Inputs Logical/Physical User Access Form.

Activities Once the Access Form has been filled in, the Department Manager / User will sign and

forward the form to ISMS Manager for evaluate business and security needs.

Outputs Logical / Physical User Access Form

STEP 3 : REVIEW AND APPROVAL

Responsibility ISMS Manager

Inputs Logical/Physical User Access Form (Business and Security needs evaluation)

Activities

Review and evaluate the request based on ETC Deanship's Business and Technical

Requirements.

If the request is approved, the request will be forwarded to:

Logical Access: to IT Sections for Implementation

Physical Access: to Building Administration / IT Datacenter for Implementation

If the request is rejected, go to step 4.

Outputs Logical / Physical User Access Approval / Rejection

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 9 of 13 Internal Use Only

STEP 4 : INFORM REQUESTER

Responsibility ISMS Manager

Inputs Rejected User Access Request.

Access Implementation Status

Activities

IT Infrastructure Manager will inform the requester with the result of the access form and

if the request is accepted the process will move on, and the Requester will be notified

upon the completion of request

End of procedure.

Outputs None.

STEP 5 : IMPLEMENTATION

Responsibility ETC Deanship Department

Inputs Approved Logical User Access form.

Activities

Necessary actions are followed to implement User Logical Access Request.

The User Logical Access Request form is updated with the technical actions taken.

Proceed to step 6.

Outputs Implemented Logical Access Request

STEP 6 : UPDATE ACCESS RECORD

Responsibility ETC Deanship Department

Inputs Implemented Logical Access Request

Activities

Respective ETC Deanship department updates the account management logs / Access

Records related to the access actions taken.

Go to step 5.

Outputs Updated Access Records

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 10 of 13 Internal Use Only

STEP 7 : IMPLEMENTATION

Responsibility Building Administration / IT Datacenter

Inputs Approved Physical User Access Form.

Activities

Necessary actions are followed to implement User Physical Access Request.

The User Physical Access Request Form is updated with the actions taken.

Go to Step 8.

Outputs Implemented Physical User Access Request

STEP 8 : UPDATE ACCOUNT MANAGEMENT LOGS

Responsibility Building Administration / IT Datacenter

Inputs Implemented Physical User Access Request

Activities Physical User Access implementation logs will be updated with related access actions.

Go to step 5.

Outputs Updated Account Management Log.

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 11 of 13 Internal Use Only

10. OUTPUTS The following activity will be an output of the process.

User Access Forms.

11. RECORDS The following are the list of all applicable records that are the evidence of implementation of the

Process.

The records are maintained in hard and soft copy.

User Access Record.

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 12 of 13 Internal Use Only

12. ANNEXURE

12.1 USER ACCESS FORM

USER ACCESS FORM

DISABLE SUSPEND MODIFY ISSUE

EMPLOYEE ID:

EMPLOYEE NAME:

TITLE:

DEPARTMENT:

SECTION:

Logical Physical TYPE OF ACCESS:

Date Finish: Date Start: DURATION

Time Finish: Time Start::

DEPARTMENT MANAGER

NAME

COMMENTS

SIGNATURE

DATE

ISMS MANAGER APPROVAL

NAME

Yes No APPROVAL

COMMENTS

SIGNATURE

DATE

IMPLEMENTATION DETAILS

EMPLOYEE ID

CREATION DATE

ACCESS DETAILS

CREATED BY

SIGNATURE

USER ACCESS MANAGEMENT PROCEDURE

ISMS/A.9/UAM/PRO/V1.1 Page 13 of 13 Internal Use Only

12.2 USER ACCESS RECORD

USER ACCESS RECORD

Date & Time Administrator Name System/Application Access Type Signature Access Request

Ref. #