USER ACCESS MANAGEMENT PROCEDURE KING SAUD UNIVERSITY DEANSHIP OF E-TRANSACTIONS & COMMUNICATION VERSION 1.1 INTERNAL USE ONLY USER ACCESS MANAGEMENT PROCEDURE PREPARED BY REVIEWED BY APPROVED BY ALTAMASH SAYED NASSER A. AMMAR DR. MOHAMMED A ALNUEM REVISION HISTORY Date of Ver. Revision Validity Description of change 1 18/03/12 1.0 One Year Initialization 2 02/03/13 1.1 One Year 3 05/03/13 1.1 One Year Sr. No. Reviewed By Nasser A. Ammar Dr. Mohammed A Alnuem Department Ownership Mr. Toqeer Ahmad Changed No Change Approved By Mr. Toqeer Ahmad Mr. Mohammed A. Alsarkhi Mr. Mohammed A. Alsarkhi 4 5 6 7 8 9 10 DISTRIBUTION LIST Sr. No Version Number Name Designation Department 1 2 3 ISMS/A.9/UAM/PRO/V1.1 Page 2 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE TABLE OF CONTENTS 1. PURPOSE .................................................................................................. 4 2. SCOPE ...................................................................................................... 4 3. RELATED POLICIES AND PROCEDURES ...................................................... 4 4. PROCEDURE ENFORCEMENT / COMPLIANCE ............................................ 4 5. DOCUMENT OWNER ................................................................................ 4 6. ROLES & RESPONSIBILITY ......................................................................... 5 7. INVOCATION ............................................................................................ 6 8. PROCESS FLOWCHART .............................................................................. 7 9. PROCEDURE DETAILS ................................................................................ 8 10. OUTPUTS............................................................................................. 11 11. RECORDS ............................................................................................. 11 12. ANNEXURE .......................................................................................... 12 12.1 USER ACCESS FORM ......................................................................................... 12 12.2 USER ACCESS RECORD ..................................................................................... 13 ISMS/A.9/UAM/PRO/V1.1 Page 3 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 1. PURPOSE In order to control and secure the creation, modification and deletion of King Saud University eTransactions & Communication Deanship's users’ logical and/or physical access, a formal procedure for User Access Management must be enforced in entire King Saud University - eTransactions & Communication Deanship.. 2. SCOPE This procedure applies to King Saud University (KSU) - eTransactions & Communication (ETC) Deanship and all parties, its affiliated partners or subsidiaries, including data processing and process control systems, that are in possession of or using information and/or facilities owned by KSU-ETC Deanship. This procedure applies to all staff/ users that are directly or indirectly employed by KSU-ETC Deanship, subsidiaries or any entity conducting work on behalf of KSU that involves the use of information assets owned by ETC Deanship. 3. RELATED POLICIES AND PROCEDURES Access Control Policy 4. PROCEDURE ENFORCEMENT / COMPLIANCE Compliance with this procedure is mandatory and ETC Deanship managers shall ensure continuous compliance monitoring within their departments. Compliance with the statements of this procedure is a matter of periodic review by Risk & Information Security Department and any violation of the procedure will result in corrective action by the ISMS Steering Committee. Disciplinary action will be depending on the severity of the violation which will be determined by the investigations. Actions such as termination or others as deemed appropriate by ETC Management and Human Resources Department will be taken. 5. DOCUMENT OWNER ISMS Manager ISMS/A.9/UAM/PRO/V1.1 Page 4 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 6. ROLES & RESPONSIBILITY Each role involved in this procedure shall have main responsibilities as follows: 1. Users / Department Manager Update ETC Deanship Management with employee’s status. Process Logical / Physical Access requests for Employees / Users. Maintain a copy of the signed User Access Form 2. Information Security Officer Review and Evaluate Logical and Physical Access requests from Business and Security aspect, provide comments and forward the request to ISMS Manager for Approval. 3. ISMS Manager Evaluate and approve User Logical / Physical Access Requests. Maintains a record of user registration, resignation, role change and termination Maintains a record of user registration, resignation, role change and termination. 4. ETC Deanship Department Implement user access permission. Maintain an accurate user registration/ modification/ deletion record. Review on annual basis user access privileges. Ensure the followed processes by the users reflect the “User Access Management Procedure” of KSU ETC Deanship. Grant and revoke access to network and system resources. Grant and revoke access to information processing facilities. 5. Building Administration / IT Datacenter Verify user access permission and maintain an accurate record for KSU premises / secure areas. Issue ETC Deanship Department premises / secure areas access permission (e.g. paper, badges). ISMS/A.9/UAM/PRO/V1.1 Page 5 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 7. INVOCATION This procedure shall be followed whenever there is: User Account Creation This procedure should be initiated whenever there is a need to register and grant access privilege for new users of the organization information resources (e.g. internet, printers and LAN). User Privileges Modification Whenever there is a change and update of existing user privileges, this procedure must be followed. User Termination To revoke access privileges of resigned / terminated users, this procedure must be started. Physical / Premises Access This procedure shall be invoked whenever there is a need to grant physical access permission to organization premises and restricted area. ISMS/A.9/UAM/PRO/V1.1 Page 6 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 8. PROCESS FLOWCHART User Access Management Procedure ETC Deanship Department Step 5 Implementation Step 6 Logical Access Approval Type ISMS Manager No Step 4 Step 3 Inform Requester Evaluate Business & Security needs START User / Department Manager Process Yes Update Access Record Step 1 Access Request Step 2 Forward Request (Logical / Physical) END 4 User Access Form Building Administration / IT Datacenter Physical Access Start / End Start and end of the procedure Storage to file Reference to another procedure Step 1 L o g/R eco rd Form Document / Form ISMS/A.9/UAM/PRO/V1.1 1 Another related procedure An activity / step Step 7 Step 8 Implementaion Update Account Management Log Input/ Output Decision Input or output infomation A decision in a procedure Follow to step no. Page 7 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 9. PROCEDURE DETAILS This section reflects the broad activities/steps to be carried out in the procedure. STEP 1 : ACCESS REQUEST Responsibility Inputs User / Department Manager User Account Creation User Privileges Modification User Termination / Account Removal Physical / Premises Access The procedure will be initiated by the Department Manager / User, who will fill-up the User Access Form. Proceed to step 2. Activities Outputs Logical / Physical User Access Form. STEP 2 : FORWARD REQUEST Responsibility Inputs Activities Outputs User / Department Manager Logical/Physical User Access Form. Once the Access Form has been filled in, the Department Manager / User will sign and forward the form to ISMS Manager for evaluate business and security needs. Logical / Physical User Access Form STEP 3 : REVIEW AND APPROVAL Responsibility Inputs ISMS Manager Logical/Physical User Access Form (Business and Security needs evaluation) Activities Outputs Review and evaluate the request based on ETC Deanship's Business and Technical Requirements. If the request is approved, the request will be forwarded to: Logical Access: to IT Sections for Implementation Physical Access: to Building Administration / IT Datacenter for Implementation If the request is rejected, go to step 4. Logical / Physical User Access Approval / Rejection ISMS/A.9/UAM/PRO/V1.1 Page 8 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE STEP 4 : INFORM REQUESTER Responsibility Inputs ISMS Manager Rejected User Access Request. Access Implementation Status IT Infrastructure Manager will inform the requester with the result of the access form and if the request is accepted the process will move on, and the Requester will be notified upon the completion of request End of procedure. Activities Outputs None. STEP 5 : IMPLEMENTATION Responsibility Inputs ETC Deanship Department Approved Logical User Access form. Activities Outputs Implemented Logical Access Request Necessary actions are followed to implement User Logical Access Request. The User Logical Access Request form is updated with the technical actions taken. Proceed to step 6. STEP 6 : UPDATE ACCESS RECORD Responsibility Inputs ETC Deanship Department Implemented Logical Access Request Activities Outputs Respective ETC Deanship department updates the account management logs / Access Records related to the access actions taken. Go to step 5. Updated Access Records ISMS/A.9/UAM/PRO/V1.1 Page 9 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE STEP 7 : IMPLEMENTATION Responsibility Inputs Building Administration / IT Datacenter Approved Physical User Access Form. Activities Outputs Implemented Physical User Access Request Necessary actions are followed to implement User Physical Access Request. The User Physical Access Request Form is updated with the actions taken. Go to Step 8. STEP 8 : UPDATE ACCOUNT MANAGEMENT LOGS Responsibility Inputs Building Administration / IT Datacenter Implemented Physical User Access Request Activities Outputs Updated Account Management Log. Physical User Access implementation logs will be updated with related access actions. Go to step 5. ISMS/A.9/UAM/PRO/V1.1 Page 10 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 10. OUTPUTS The following activity will be an output of the process. User Access Forms. 11. RECORDS The following are the list of all applicable records that are the evidence of implementation of the Process. The records are maintained in hard and soft copy. User Access Record. ISMS/A.9/UAM/PRO/V1.1 Page 11 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 12. ANNEXURE 12.1 USER ACCESS FORM USER ACCESS FORM ISSUE MODIFY SUSPEND DISABLE EMPLOYEE ID: EMPLOYEE NAME: TITLE: DEPARTMENT: SECTION: TYPE OF ACCESS: Logical Physical Date Start: Date Finish: Time Start:: Time Finish: DURATION DEPARTMENT MANAGER NAME COMMENTS SIGNATURE DATE ISMS MANAGER APPROVAL NAME APPROVAL Yes No COMMENTS SIGNATURE DATE IMPLEMENTATION DETAILS EMPLOYEE ID CREATION DATE ACCESS DETAILS CREATED BY SIGNATURE ISMS/A.9/UAM/PRO/V1.1 Page 12 of 13 Internal Use Only USER ACCESS MANAGEMENT PROCEDURE 12.2 USER ACCESS RECORD USER ACCESS RECORD Date & Time Administrator Name ISMS/A.9/UAM/PRO/V1.1 System/Application Page 13 of 13 Access Type Signature Access Request Ref. # Internal Use Only