USER ACCESS
MANAGEMENT PROCEDURE
KING SAUD UNIVERSITY
DEANSHIP OF E-TRANSACTIONS & COMMUNICATION
VERSION 1.1
INTERNAL USE ONLY
USER ACCESS MANAGEMENT PROCEDURE
PREPARED BY
REVIEWED BY
APPROVED BY
ALTAMASH SAYED
NASSER A. AMMAR
DR. MOHAMMED A ALNUEM
REVISION HISTORY
Date of
Ver.
Revision
Validity
Description of change
1
18/03/12
1.0
One Year
Initialization
2
02/03/13
1.1
One Year
3
05/03/13
1.1
One Year
Sr. No.
Reviewed By
Nasser A. Ammar Dr. Mohammed A Alnuem
Department Ownership
Mr. Toqeer Ahmad
Changed
No Change
Approved By
Mr. Toqeer Ahmad
Mr. Mohammed A.
Alsarkhi
Mr. Mohammed A.
Alsarkhi
4
5
6
7
8
9
10
DISTRIBUTION LIST
Sr. No
Version Number
Name
Designation
Department
1
2
3
ISMS/A.9/UAM/PRO/V1.1
Page 2 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
TABLE OF CONTENTS
1. PURPOSE .................................................................................................. 4
2. SCOPE ...................................................................................................... 4
3. RELATED POLICIES AND PROCEDURES ...................................................... 4
4. PROCEDURE ENFORCEMENT / COMPLIANCE ............................................ 4
5. DOCUMENT OWNER ................................................................................ 4
6. ROLES & RESPONSIBILITY ......................................................................... 5
7. INVOCATION ............................................................................................ 6
8. PROCESS FLOWCHART .............................................................................. 7
9. PROCEDURE DETAILS ................................................................................ 8
10.
OUTPUTS............................................................................................. 11
11.
RECORDS ............................................................................................. 11
12.
ANNEXURE .......................................................................................... 12
12.1
USER ACCESS FORM ......................................................................................... 12
12.2
USER ACCESS RECORD ..................................................................................... 13
ISMS/A.9/UAM/PRO/V1.1
Page 3 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
1. PURPOSE
In order to control and secure the creation, modification and deletion of King Saud University eTransactions & Communication Deanship's users’ logical and/or physical access, a formal procedure
for User Access Management must be enforced in entire King Saud University - eTransactions &
Communication Deanship..
2. SCOPE
This procedure applies to King Saud University (KSU) - eTransactions & Communication (ETC)
Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process
control systems, that are in possession of or using information and/or facilities owned by KSU-ETC
Deanship.
This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC
Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of
information assets owned by ETC Deanship.
3. RELATED POLICIES AND PROCEDURES

Access Control Policy
4. PROCEDURE ENFORCEMENT / COMPLIANCE
Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous
compliance monitoring within their departments. Compliance with the statements of this procedure
is a matter of periodic review by Risk & Information Security Department and any violation of the
procedure will result in corrective action by the ISMS Steering Committee.
Disciplinary action will be depending on the severity of the violation which will be determined by the
investigations. Actions such as termination or others as deemed appropriate by ETC Management
and Human Resources Department will be taken.
5. DOCUMENT OWNER

ISMS Manager
ISMS/A.9/UAM/PRO/V1.1
Page 4 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
6. ROLES & RESPONSIBILITY
Each role involved in this procedure shall have main responsibilities as follows:
1. Users / Department Manager
 Update ETC Deanship Management with employee’s status.
 Process Logical / Physical Access requests for Employees / Users.
 Maintain a copy of the signed User Access Form
2. Information Security Officer
 Review and Evaluate Logical and Physical Access requests from Business and Security aspect,
provide comments and forward the request to ISMS Manager for Approval.
3. ISMS Manager
 Evaluate and approve User Logical / Physical Access Requests.
 Maintains a record of user registration, resignation, role change and termination Maintains
a record of user registration, resignation, role change and termination.
4. ETC Deanship Department
 Implement user access permission.
 Maintain an accurate user registration/ modification/ deletion record.
 Review on annual basis user access privileges.
 Ensure the followed processes by the users reflect the “User Access Management Procedure”
of KSU ETC Deanship.
 Grant and revoke access to network and system resources.
 Grant and revoke access to information processing facilities.
5. Building Administration / IT Datacenter
 Verify user access permission and maintain an accurate record for KSU premises / secure
areas.
 Issue ETC Deanship Department premises / secure areas access permission (e.g. paper,
badges).
ISMS/A.9/UAM/PRO/V1.1
Page 5 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
7. INVOCATION
This procedure shall be followed whenever there is:
 User Account Creation
This procedure should be initiated whenever there is a need to register and grant access
privilege for new users of the organization information resources (e.g. internet, printers and
LAN).

User Privileges Modification
Whenever there is a change and update of existing user privileges, this procedure must be
followed.

User Termination
To revoke access privileges of resigned / terminated users, this procedure must be started.

Physical / Premises Access
This procedure shall be invoked whenever there is a need to grant physical access permission
to organization premises and restricted area.
ISMS/A.9/UAM/PRO/V1.1
Page 6 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
8. PROCESS FLOWCHART
User Access Management Procedure
ETC Deanship
Department
Step 5
Implementation
Step 6
Logical Access
Approval
Type
ISMS Manager
No
Step 4
Step 3
Inform Requester
Evaluate Business
& Security needs
START
User / Department
Manager
Process
Yes
Update Access
Record
Step 1
Access Request
Step 2
Forward Request
(Logical / Physical)
END
4
User Access Form
Building Administration / IT
Datacenter
Physical Access
Start / End
Start and end of the
procedure
Storage to
file
Reference to
another
procedure
Step 1
L o g/R eco rd
Form
Document /
Form
ISMS/A.9/UAM/PRO/V1.1
1
Another related
procedure
An activity /
step
Step 7
Step 8
Implementaion
Update Account
Management Log
Input/
Output
Decision
Input or output
infomation
A decision in a
procedure
Follow to step
no.
Page 7 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
9. PROCEDURE DETAILS
This section reflects the broad activities/steps to be carried out in the procedure.
STEP 1 : ACCESS REQUEST
Responsibility
Inputs
User / Department Manager



User Account Creation
User Privileges Modification
User Termination / Account Removal

Physical / Premises Access

The procedure will be initiated by the Department Manager / User, who will fill-up the
User Access Form.
Proceed to step 2.
Activities

Outputs
Logical / Physical User Access Form.
STEP 2 : FORWARD REQUEST
Responsibility
Inputs
Activities
Outputs
User / Department Manager
Logical/Physical User Access Form.

Once the Access Form has been filled in, the Department Manager / User will sign and
forward the form to ISMS Manager for evaluate business and security needs.
Logical / Physical User Access Form
STEP 3 : REVIEW AND APPROVAL
Responsibility
Inputs
ISMS Manager
Logical/Physical User Access Form (Business and Security needs evaluation)

Activities
Outputs
Review and evaluate the request based on ETC Deanship's Business and Technical
Requirements.
 If the request is approved, the request will be forwarded to:
 Logical Access: to IT Sections for Implementation
 Physical Access: to Building Administration / IT Datacenter for Implementation
 If the request is rejected, go to step 4.
Logical / Physical User Access Approval / Rejection
ISMS/A.9/UAM/PRO/V1.1
Page 8 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
STEP 4 : INFORM REQUESTER
Responsibility
Inputs
ISMS Manager


Rejected User Access Request.
Access Implementation Status

IT Infrastructure Manager will inform the requester with the result of the access form and
if the request is accepted the process will move on, and the Requester will be notified
upon the completion of request
End of procedure.
Activities

Outputs
None.
STEP 5 : IMPLEMENTATION
Responsibility
Inputs
ETC Deanship Department
Approved Logical User Access form.
Activities



Outputs
Implemented Logical Access Request
Necessary actions are followed to implement User Logical Access Request.
The User Logical Access Request form is updated with the technical actions taken.
Proceed to step 6.
STEP 6 : UPDATE ACCESS RECORD
Responsibility
Inputs
ETC Deanship Department
Implemented Logical Access Request

Activities

Outputs
Respective ETC Deanship department updates the account management logs / Access
Records related to the access actions taken.
Go to step 5.
Updated Access Records
ISMS/A.9/UAM/PRO/V1.1
Page 9 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
STEP 7 : IMPLEMENTATION
Responsibility
Inputs
Building Administration / IT Datacenter
Approved Physical User Access Form.
Activities



Outputs
Implemented Physical User Access Request
Necessary actions are followed to implement User Physical Access Request.
The User Physical Access Request Form is updated with the actions taken.
Go to Step 8.
STEP 8 : UPDATE ACCOUNT MANAGEMENT LOGS
Responsibility
Inputs
Building Administration / IT Datacenter
Implemented Physical User Access Request
Activities


Outputs
Updated Account Management Log.
Physical User Access implementation logs will be updated with related access actions.
Go to step 5.
ISMS/A.9/UAM/PRO/V1.1
Page 10 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
10. OUTPUTS
The following activity will be an output of the process.
 User Access Forms.
11. RECORDS
The following are the list of all applicable records that are the evidence of implementation of the
Process.
The records are maintained in hard and soft copy.
 User Access Record.
ISMS/A.9/UAM/PRO/V1.1
Page 11 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
12. ANNEXURE
12.1 USER ACCESS FORM
USER ACCESS FORM
 ISSUE
 MODIFY
 SUSPEND
 DISABLE
EMPLOYEE ID:
EMPLOYEE NAME:
TITLE:
DEPARTMENT:
SECTION:
TYPE OF ACCESS:
 Logical
 Physical
Date Start:
Date Finish:
Time Start::
Time Finish:
DURATION
DEPARTMENT MANAGER
NAME
COMMENTS
SIGNATURE
DATE
ISMS MANAGER APPROVAL
NAME
APPROVAL
 Yes  No
COMMENTS
SIGNATURE
DATE
IMPLEMENTATION DETAILS
EMPLOYEE ID
CREATION DATE
ACCESS DETAILS
CREATED BY
SIGNATURE
ISMS/A.9/UAM/PRO/V1.1
Page 12 of 13
Internal Use Only
USER ACCESS MANAGEMENT PROCEDURE
12.2 USER ACCESS RECORD
USER ACCESS RECORD
Date & Time
Administrator Name
ISMS/A.9/UAM/PRO/V1.1
System/Application
Page 13 of 13
Access Type
Signature
Access Request
Ref. #
Internal Use Only