Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by jerarel923

211124 FRS IT - Logical Access Control Policy

Standard
Policy
Procedure
Code of Practice
Work Instruction
TITLE
Document reference
Page
Release
Version
Issued by
Approved by
Page 1 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
LOGICAL ACCESS CONTROL POLICY
(For circulation of internal use only).
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 2 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
Table of Contents
DOCUMENT INFORMATION ........................................................................................................... 3
DOCUMENT CONTROL .................................................................................................................. 3
REVISION HISTORY ....................................................................................................................... 3
INTRODUCTION .............................................................................................................................. 4
PURPOSE .................................................................................................................................... 4
ROLES AND RESPONSIBILITIES................................................................................................ 4
SCOPE ......................................................................................................................................... 5
REVIEW ....................................................................................................................................... 5
ASSOCIATED RISK DEFINITION ................................................................................................ 5
CLASSIFICATIONS ...................................................................................................................... 5
DEVIATION FROM POLICY REQUIREMENTS ............................................................................... 6
POLICY REQUIREMENTS .............................................................................................................. 7
APPENDIX 1: ADDITIONAL IT POLICIES SET .............................................................................. 12
APPENDIX 2: ASSETS/SYSTEMS CLASSIFICATION EXAMPLE ................................................. 13
APPENDIX 3: GLOSSARY OF TERMS ......................................................................................... 14
APPENDIX 3: SEGREGATION OF DUTIES EXAMPLE ................................................................. 15
APPENDIX 4: IMPACT AND LIKELIHOOD ANALYSIS MATRIX .................................................... 16
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Release
Version
Issued by
Approved by
Document reference
TITLE
Page 3 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
DOCUMENT INFORMATION
Document Name
Logical Access Control Policy (LACP)
Document Reference No.
211124 FRS_IT – LACP.1.0
Document Version No.
1.0
Document Effective Date
Document Owner
DOCUMENT CONTROL
Name
Role
Nguyen The Hung
Author
Position
Date
IT Manager
REVISION HISTORY
Document Name: Logical Access Control Policy (LACP)
Document Type: Policy
Review Date: 24/11/2021
Next Review Date: 22/11/2022
Version
Reviewer
Details of Change
First release
Date
24 Nov 2021
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 4 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
INTRODUCTION
This Policy provides the overall framework about limiting access to an IT asset or system, both
physical and virtual access, based on using a process by permissions which granted to Companys’
users, with certain privileges set on that IT asset, system or resource. In Access Control system,
users must present their own credential before the permission(s) can be granted for their access (to
IT asset, system or resource).
The Access Control includes:
-
-
Identification: to identify the user or system/computer that is using to access to Companys’ IT
Assets, Systems or Network.
Authentication: to validate that the user or system is indeed the user or system that attempting
to access to Companys’ IT Assets, Systems or Network, often by using a user password,
token IT or certificate.
Authorization: to specify what a user or system can do (on IT Assets, Systems or Network),
often by applying the Read Only, Read/Write or Modify, Change Permissions, or access to
the Internet, etc., based on the sensitive level of IT Assets, Systems or Network which been
granted by Identification and Authentication.
Logical Access Control Policy (LACP) focuses on the “logical” access only (for example, access to
the assets or systems or data by application or software) and then describes the mechanism that
used to implement the Logical access controls to ensure an appropriate level of security of Companys’
IT Assets, Systems and Network.
Being supported by a suite of other IT Policies document, the Logical Access Control Policy will cover
a wide range of information security aspects, which must be read and complied with, by Companys’
employees, as listed in the Appendix.
PURPOSE
The IT Security Policy is created and maintained for purpose of protect Companys’ people, business
partners and information by applying an effective access control process/procedure to restrict the
access permissions to Companys IT Assets, Systems and Network to authorized users in relation
with respective authorized system functionality and data asset.
ROLES AND RESPONSIBILITIES
LACP is applied to all Companys’ employees, third party, contractor, who uses Companys’ IT Assets,
Systems and Network, regardless to their physical location or Companys business entities.
It is responsibility of IT Manager to maintain the policy and provide guidance to the business on the
policy implementation.
Companys’ employees must obtain insight in any local standards and legislation (particularly when
dealing with personal data) and where applicable develop additional policies to the other relevant
policies and to ensure overall compliance.
Please contact with IT Manager for any instances where local legislation or regulation would
contradict with any requirements stated in the Companys IT policies.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 5 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
SCOPE
This Policy applies to:
-
All network-connected systems, devices and IT assets in Companys,
All providers of Information Technology services to Companys,
All users of Information Technology Assets, Systems and Networks in Companys entities,
Authorized third parties connecting to Companys Information Technology Assets, Systems
and Networks.
REVIEW
The LACP will be reviewed as part of an overall management review of the effectiveness of the
Companys’ information security during its implementation and lifecycle.
Also, due to a security incident and/or changes to organizational or technical infrastructure, the LACP
must be reviewed in response accordingly.
ASSOCIATED RISK DEFINITION
All components of IT Assets, Systems and Network have a value to the Company. However, some
of them are more sensitive to risks because of the content or importance to the ongoing business
operations. This sensitivity or risk is driven by the need to maintain the Confidentiality, Integrity and
Availability in term of IT Assets, Systems and Networks as defined in table below:
Confidentiality
Confidentiality refers to preventing information disclosure, even authorized or
unauthorized, to unauthorized individuals or other IT Systems/Networks.
Integrity
In the major of Information Security, the Integrity means maintaining and
assuring the accuracy, completeness, consistency and timeliness of IT Assets,
Systems and Network over their entire lifecycle and preventing the modification
from unauthorized.
Availability
For any IT Assets and Systems to serve their own purpose, the Assets and
Systems must be available when needed. Ensuring Availability also involves to
the preventing of other security relevant such Denial-of-Service (DoS) attack, or
malware/malicious code which may break normal operations.
These are collectively known and called as CIA in IT Security.
CLASSIFICATIONS
It is strongly required to create and maintain IT Assets and Systems Inventory which designed to:
-
Ensure each business unit has a record of key critical IT Assets and System where data being
stored, modified and processed.
Enable Companys to place the focusing of the Information Security Program on the key IT
Assets and Systems to ensure that they are protected by appropriate security controls and
solutions.
The IT Assets and Systems Inventory is a record of the key critical IT Assets and Systems owned by
the Companys and also identifies where key assets/systems resides in terms of the systems,
applications and storage locations (both physical and logical).
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Release
Version
Issued by
Approved by
Document reference
TITLE
Page 6 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
The Inventory records will provide a centralized log of key critical IT Assets and Systems and their
location in order to ensure that appropriate governance and security solution over the key critical
assets and systems still exists and operates to protect them out of potential IT Security risks and
threats. Also, it will help to redirect the focusing on key risk areas with current company resources.
Other non-critical assets and systems will be expected to apply the Standard technical builds that
provide baseline security for DO NOT introducing security weaknesses which may expose overall
platform and infrastructure.
The requirements in the Policy Requirements chapter will provide more details about requirements
around IT Assets and Systems, and linked to Assets Classification Schema – see table below – which
requires that each system or asset should be given an appropriate classification label. Please note,
this is intended only as guidance, therefore, business knowledge is vital in accurately depicting the
level of risks and classifications.
Assets Classification Schema
Level
Classification Label
Definition
Level 1
Standard
The base level of security that applies to all IT assets and systems
unless stated otherwise. If no other classification is given, it is
assumed that “Standard” classification applies.
Level 2
Confidential
The label “Confidential” will be applied to the IT Assets/Systems
whose confidentiality, integrity and availability are critical to the
ongoing business operation and business reputation.
Level 3
Restricted
The label “Restricted” will be applied to the IT Assets/Systems that
processed the data which is bound by specific standard or legislation,
for example:
- Personal information (information that identifies an individual) and
would be bound by the requirements of Data Protection
Act/Regulation.
- Payment Card information that would be bound by the
requirements of Payment Card Industry Data Security Standard
(PCI DSS).
DEVIATION FROM POLICY REQUIREMENTS
Any decisions to deviate from requirements that settled out in this Policy must be approved by
Company Senior Management Team.
Compliance is mandatory for:
-
IT Assets, Systems or Network that processing the Payment Industry Card (PCI) related data
(for example, Credit Card details)
Data protection regulation such as UK Data Protection Act and EU Data Protection
Directive/EU Global Data Protection Regulation.
Other local Law and Legislation that may apply to Information Technology.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Release
Version
Issued by
Approved by
Document reference
TITLE
Page 7 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
POLICY REQUIREMENTS
Primary goal objective of the Logical Access Control Policy (LACP) is to protect Companys’ IT Assets,
Systems and other IT Resources from unappropriated, undesired or unauthorized user access while
still ensuring optimal collaboration and sharing of IT Assets, Systems and Resources.
Depending on the Assets Classification category applicable from previous chapter, the requirements
settled out below will describe the security conditions which Companys’ must comply with, by using
the following sections:
-
Access Control foundation,
Users access management,
Password management,
Users Segregation of Duties,
Remote access,
And Review of Users’ access right permissions.
CONTROL AREA
REQUIREMENTS
REFERENCE
ACCESS CONTROL FOUNDATION
Standard Requirements
- Access to Companys’ IT Assets, Systems and Resources must be
controlled by the identification and authentication mechanism, at
least, includes a User UD and associated password.
- A formal record of all registered users – who can access to
Companys’ IT Assets, Systems and Resources – must be maintained.
- Default known accounts/passwords must be changed to prevent
unauthorized access by using such accounts/passwords.
- User’s account must be unique and not to be shared between users,
unless for specially and formally approved by Management Board.
- Where user account/password is shared for operational reasons, this
must be recorded in Registered Users, and remarked as “special
case”.
- Service Accounts (for example, non-user account used by specific IT
service) must not be used for a any user-based access and must be
removed or disabled when no longer required to use.
Confidential Requirements
As Standard, plus:
IT Policy
- User’s ID must not be reused – re-issued to new user.
- User’s ID must follow a predefined naming standard to facilitate
effective identity management.
- For accessing to Confidential IT Assets, Systems or Resources, it is
required to enable the Auto-lock or Auto-log out automatically after
inactivity of a certain period time, for example, after 5 minutes.
- The system administrator privilege account must be separated with
personating account for conducting non-administrator privilege
activities.
- The ownership for account must be identified to indicate who use
which account on which assets/systems and for what purpose.
- Access log must be enabled and maintained then audited for
success/failure of logon, timestamp against the User’s ID.
- Where possible, a banner must be configured to display the warning
message about restriction of IT Assets/Systems usage before users
can go to the log in page.
Restricted Requirements
As Confidential, plus:
- All Companys’ users must sign a Non Disclosure Agreement for
appropriate usage of their access right to the IT Assets/Systems
where the Restricted data and information being stored and
processed.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 8 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
- The log file of IT assets/systems must display the last login date and
time. It will help to investigate about unauthorized access or
attempting to perform an unauthorized access to IT assets/systems.
- The log files on the Restricted assets/systems must be configured to
prevent unauthorized access, modification or deletion.
- For the IT Assets/Systems where the payment transactions being
processed, it is required to enable the Two-Factor Authentication
mechanism for critical access rights.
USER ACCESS MANAGEMENT
Standard Requirements
- Formal user provisioning process/procedure must be placed for
granting and revoking users’ access permissions on IT Assets and
Systems in timely manner.
- This process/procedure must identify all information listed below:’
o User’s name (full name),
o User’s ID (user’s system name),
o Roles and responsibilities,
o Type of user (for example, end-user, administrator or contractor,
etc.),
o The date of provision and granting/revoking the access
permissions,
o Details of access permissions on the IT Assets and Systems.
- Details of this process/procedure must include following:
o Authorization method for accessing to specific asset/system (for
example, User ID and Password, Two-factors authentication, etc.)
,
o Justification for access request,
o The routing path and detail steps for the case of revoking user’s
access permission when he/she have changed the job function or
left the company.
- A historic of all access requests, assignments or revocations must be
maintained and updated.
Confidential Requirements
As Standard, plus
- For accessing to the Confidential asset/system, the provisioning
process/procedure above must include more information:
o Independent checking and validation steps, at least by
asset/system owner to verify that the access request is
appropriate for the company purpose,
o Additional checking for segregation of duties conflicts. If the
conflicts occurred, the other mitigating controls must be
implemented (for example, monthly checking for the conflicting
access right still been used),
o Revoking the access right permissions of the users who changed
their job function or left the company should be done within 1
working hour.
o For emergency case, the process of granting/revoking user’s
access right must be done immediately.
- For third parties access, and upon the contract end date, their access
right permission must be revoked, and the account must be
disabled/change password logon.
Restricted Requirements
“Need-to-Know” and “Needto-Have” principal.
As Confidential, plus:
- Revoking the access right permissions on a Restricted asset/system
of the user who have changed their job function or left the company,
must be done immediately. And associated account/password must
be disable/changed.
- For the case of employees – who has access permission on
Restricted asset/system - contract termination, it is required to official
announce to relevant parties about their termination.
- Where applicable, the hard key token for Two-factor authentication on
Restricted asset/system, must be revoked immediately, upon the date
of contract termination, applies to both internal and external users.
PASSWORD MANAGEMENT
Standard Requirements
- All User ID must be forced to be authenticate by the authentication
system, for example, Active Directory, or at least, by user name and
password on local computer.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 9 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
- Default and public known accounts must be disabled or renamed by
other account, or at least, a complexity password must be set.
- A password for Standard asset/system must include the following
controls:
o At least 6 alphanumeric character, and be a combination of
alphabet and numeric characters.
o Exclude entity name, user name, or birthday,
o Must be changed at least every 90 days,
o Password must not be the same as previously 6 passwords used.
Confidential Requirements
As Standard, plus:
- The mechanism to reject a simple password setting must be enabled.
- The password for administrative privilege account on external facing
asset/system such as web site, will be listed as Confidential.
- A password for Confidential asset/system must include the following
controls:
o At least 8 alphanumeric character, and be a combination of
alphabet and nummeric characters.
o Exclude entity name, user name, or birthday,
o Must be changed at least every 60 days,
o Password cannot include the predefined and easy guess phrase
such 1111, 1234, Abcd, Qwerty, etc.
o Password must not be the same as previously 10 passwords
used,
o User account must be automatically locked-out after 5 times of
attempting with invalid password.
Restricted Requirements
“Need-to-Know” and “Needto-Have” principal.
As Confidential, plus:
- Two-factors authentication must be enabled and applied on the
Restricted system such as payment system or online banking
transaction system.
- Password for administrative privilege account must be stored in a safe
location or mechanism, and must not be shared or writen on a paper.
- A password for Restricted asset/system must include the following
controls:
o At least 12 alphanumeric character, and be a combination of
alphabet (both upper and lower case), numeric and special
characters.
o Exclude entity name, user name, or birthday,
o Must be changed at least every 45 days,
o Password cannot include the predefined and easy guess phrase
such 1111, 1234, Abcd, Qwerty, etc.
o Password must not be the same as previously 12 passwords
used,
o User account must be automatically locked-out after 5 times of
attempting with invalid password.
- Password for administrative privilege account on Restricted
asset/system must be changed immediately when the owner has left
the company or changed their roles/job function.
USER SEGREGATION OF DUTIES (SoD)
Standard Requirements
- The authorization framework must be enabled to prevent individual
from “multiple roles” for a critical transaction, for example, one user
account with both “Create”, “Approve” and “Release” a payment
transaction.
- A Matrix of User Segregation of Duties must be maintained to manage
and to balance between security requirements and compatible
requirements.
- Compensating controls must be implemented for those conflicts that
cannot be prevented.
Confidential Requirements
As Standard, plus:
- The Matrix of User Segregation of Duties must be reviewed regularly,
at least quarterly, to ensure that the matrix is up-to-date, the duties
conflicting is mitigated and appropriate compensation controls being
applied.
Restricted Requirements
“Need-to-Know” and “Needto-Have” principal.
- As Confidential
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 10 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
REMOTE ACCESS
Standard Requirements
- Remote access to Companys’ System and Network is only be
provided to authorized users.
- When permitted, remote users must use a secured and encrypted
connection such as SSL VPN.
- Where applicable, the remote users must not use a public network
such as public Wi-Fi at café shop, to connect to Companys’ System
and Network.
- Remote access sessions must be logged into log file to record
following information:
o Source IP Address,
o Destination IP Address,
o Type of remote access (for example, SSL VPN, VPN Site-to-Site,
etc.),
o Timestamp of access,
o Duration of access.
Confidential Requirements
As Standard, plus
- Two-factor authentication must be enabled for remote accessing (for
example, password with certificate or token).
- The password setting for remote access must be complied with the
Confidential Requirements of area “Password Management” in this
LACP.
- The remote access from mobile computing device such smart phone,
tablet or PDA must not be used.
- For remote accessing to Confidential asset/system, remote users
must not use a public computer such as a public computer at the
Airport or café shop, etc.
- Only on concurrent remote session per user be accepted.
Restricted Requirements
“Need-to-Know” and “Needto-Have” principal.
As Confidential, plus
- Remote access to Restricted asset/system, such as Payment system,
is only permitted with explicitly approvals from Management Team.
- It is required to create and maintain a Registration record for the
remote accessing to Restricted asset/system with the following
information:
o User full name,
o User ID on asset/system,
o Asset/system name or ID,
o Type of remote access (for example, SSL VPN, Remote
application, etc.)
o Device will be used to perform remote access,
o Duration for access.
- When no longer needed, the remote access to Restricted
asset/system must be disabled/inactivated and the associate
password must be changed.
REVIEW OF USERS ACCESS RIGHT PERMISSIONS
Standard Requirements
- A formal process of reviewing User access right permissions must be
placed and validated at regular interval (at least annually), to check
and validate the following:
o All active Users’ IDs on Company IT Assets/Systems are still
required (for example, by comparing with the Employees list from
HR(,
o All associated access right permissions and privileges are still
required.
o The conflicting between users’ roles/responsibilities and their
access right permissions.
- The reviewing process must be documented and maintained.
- Inactive Users’ ID and associated permissions/privileges will be
removed (for example, user account not used for 60 days).
Confidential Requirements
As Standard, plus:
- Frequency of reviewing User access right permissions on Confidential
aset/system must be executed more frequently, for example, twice a
year.
“Need-to-Know” and “Needto-Have” principal.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 11 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
- Inactive Users’ ID and associated permissions/privileges on
Confidential asset/system must be removed within 30 days, or at
least, the associated password must be changed.
Restricted Requirements
As Confidential, plus:
- Frequency of reviewing User access right permissions on Restricted
aset/system must be executed more frequently, for example,
quarterly.
- Special or administrative privilege account must be reviewed and
remarked as Restricted assets.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 12 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
APPENDIX 1: ADDITIONAL IT POLICIES SET
Policy Name
Description
IT Policy
Set the requirements for all IT activities within Companys entities, by
all Companys’ employees.
Access Control
Set the requirements for creating and maintaining user access to IT
Assets and Systems.
Logging and Monitoring
Set the requirements for what activities must be logged and monitored
on which IT Assets, Systems and Network.
Vulnerability Management
Set the requirements for performance of security vulnerability
scanning and patching on Application, Operating System and other
critical devices.
Data Leakage Prevention
Set the requirements for data transfer over flash storage, electronic
mail message file transfer service in respect of sensitive data
movements.
Third Party Outsourcing
Set the requirements for engagement and continuous monitoring over
third parties who provide IT Services which impact to critical business
data and information.
Malware Protection
Set the requirements for malware, computer viruses and malicious
codes protection on Company network and devices.
Network Security
Set the requirements for intrusion detection/prevention and monitoring
on Company network. Also defines how might we maintain and
manage the firewall and secure network infrastructure.
Application Security
Set the requirements for how might we secure Company applications.
Website Control
Set the requirements for securing creation and monitoring the
Company web presence.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 13 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
APPENDIX 2: ASSETS/SYSTEMS CLASSIFICATION EXAMPLE
Level
Classification
Label
Examples
Level 1
Standard
Generic information
Level 2
Confidential
-
Financial Statements (Pre-release),
Product Details, Product Structure,
Price List, Contracts,
Board of Directors papers,
Mergers and Acquisitions Documents,
Audit Documents,
IT Documents, IT Systems Configuration,
Production System,
Typical Risks
Business disruption:
-
Loss
of
delivering
capability,
Loss
of
payment
processing or revenue
collection.
Reputational damage,
Loss of commercial advantage,
Customers disatisfaction.
Level 3
Restricted
-
Payment Card Processing documents,
HR, Salary, Pension Records,
Customer Record which identify individuals identifiers
such as name, home address, date of birth, etc.
Fines and Public Censure,
Reputational damage.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Release
Version
Issued by
Approved by
Page 14 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
APPENDIX 3: GLOSSARY OF TERMS
Term
Description
Administrative privilege account
An “Administrator”, “Admin” or “Super User” account with highest privileges on an IT asset
or system. Administrative privilege account usually is assigned to IT System
Administrator.
Segregation of Duties
The division of a business function/task into separate steps and then the separate steps
will be allocated to separate individuals or business units. Purpose of Segregation of
Duties is to ensure that the business processes will be checked and ballanced between
security requirements and compatible requirements.
Third party user
A person who is working for an organiztion that is not member of Companys but has a
commercial relationship with Companys as a business partner, service provider, vendor,
client, with the role that requires access to a part of Companys’ IT asset or system.
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Release
Version
Issued by
Approved by
Document reference
TITLE
Page 15 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
1
2
Purchase Order Entry
Invoice Entry
3
4
Service Master
Inventory
Blank Check Custody
Check Preparation
Sign Checks
Cash Application
Cash Receipt Custody
Bank Reconcilation
Customer Master Maintenance
Pricing Maintenance
Order Processing
Sales Invoicing
5
6
7
8
9
10
11
12
13
14
15
16
Sales Invoice Release
Sales Adjustment
Human Resources
Approval of Personnel Actions
Payroll Preparation
General Ledger
17
18
19
20
21
22
Purchase Order Entry
Invoice Entry
Service Master
Inventory
Blank Check Custody
Check Preparation
Sign Checks
Cash Application
Cash Receipt Custody
Bank Reconcilation
Customer Master Maintenance
Pricing Maintenance
Order Processing
Sales Invoicing
Sales Invoice Release
Sales Adjustment
Human Resources
Approval of Personnel Actions
Payroll Preparation
General Ledger
#
Vendor Master Maintenance
Requisition Authorization
Requisition Authorization
Role Description
Vendor Master Maintenance
APPENDIX 3: SEGREGATION OF DUTIES EXAMPLE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
The Xs in the Matrix above are intended to represent the incompatible function(s) (the segregation of duties conflict). This Matrix is intended to outline an
example of functions which are normally incompatible. However, the identification of the matrix, or the determination of whether appropriate segregation of
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
TITLE
Document reference
Page
Release
Version
Issued by
Approved by
Page 16 of 16
November 2021
1.0
Nguyen The Hung
LOGICAL ACCESS CONTROL POLICY
duties exists is dependent upon local context, risk and judgment. The information contained in this example is intended to provide a guide; any may not be
applied for all situations.
APPENDIX 4: IMPACT AND LIKELIHOOD ANALYSIS MATRIX
The hardcopy of this document is marked as UNCONTROLLED version. CONTROLLED version is stored on Companys primary storage system in a hierarchy folder with appropriate permission to access.
Related documents
Cycle Time Reduction, Apr 8
Cycle Time Reduction, Apr 8
Study research 2021
Study research 2021
Resume - Beyond.com
Resume - Beyond.com
Download