R Systems International Ltd.

C-40, Sector 59
Noida 201 307
(U.P.), India
http://www.rsystems.com/

Access Control Policy

Document Id.: ISPolicy030

ISguide

Version No.
No.: : 1.0
4.4

Released on
on: : 22/05/06
31/07/22

1
 Review History

S No. Review Date Reviewed By

Remarks
Doc Changed and DCR raised
1 9/6/2006 ISMS Forum
Doc Changed and DCR raised
2 1/6/2009 ISMS Forum
Doc Changed and DCR raised
3 4/3/2011 Prabhas Dash
Doc Changed and DCR raised
4 1/6/2012 ISMS Forum
Doc Changed and DCR raised
5 9/8/2012 ISMS Forum
Doc Changed and DCR raised
6 9/5/2013 ISMS Forum

Doc Changed and DCR raised

7 26/07/13 ISMS Forum

Doc Changed and DCR raised

8 1/1/2014 Manager QAG
Doc Changed and DCR raised
9 7/8/2014 Manager QAG
Doc Changed and DCR raised
10 15/06/15 Manager QAG

11 22/06/16 AVP IT Infrastructure Doc Changed and DCR raised

12 18/07/17 AVP IT Infrastructure Doc Changed and DCR raised

13 18/07/17 AVP IT Infrastructure No Change

14 18/07/17 AVP IT Infrastructure No Change

Sanjay Chouhan- Head IT Doc Changed and DCR raised

15 31/07/20
Infrastructure
No Change
16 20/07/21 Head IT Infrastructure

17 19/07/22 Head IT Infrastructure Doc Changed and DCR raised

2
 DOCUMENT CONTROL SHEET

Document History
Appr
Ver. Release Authored/Re
DCR Ref. Description of Change Reviewed By oved
No Date vised By
By
1.0 9/6/2006 DCR/002 Final release QA Group ISMS Forum CISO

DCR/ISMS
2.0 1/6/2009 ISMS Periodic Review QAG ISMS Forum CISO
/057
DCR/ISMS
2.1 4/3/2011 Periodic Review OAG – ISMS Prabhas Dash CISO
/082

2.1 1/6/2012 NA ISMS Periodic Review QAG ISMS Forum CISO

DCR/ISMS
2.2 9/8/2012 Periodic Review QAG-ISMS ISMS Forum CISO
/105
Updates in Section 4.2.1
DCR/ISMS
2.3 9/5/2013 as per PCI DSS QAG-ISMS ISMS Forum CISO
/107
requirements

DCR/ISMS Section 4.2.1 related to

2.4 26/07/13 QAG-ISMS ISMS Forum CISO
/108 “inactive users” Updated

DCR/ISMS
2.5 1/1/2014 RSI Logo Updated ISMS Team Manager QAG CISO
/112
DCR/ISMS Section 4.2.1 User
3.0 7/8/2014 ISMS Team Manager QAG CISO
/117 Registration updated
Document revised and
DCR/ISMS
4.0 15/06/15 updated as per ISO ISMS Team Manager QAG CISO
/122
27001:2013
Sanjay
DCR/ISMS Annual Review- Section
4.1 22/06/16 ISMS Team Chouhan- AVP CISO
/132 4.2 updated
IT Infrastructure
Annual Review: Section
Sanjay
DCR/ISMS 4.1.2, 4.1.2, 4.4.1 updated
4.2 18/07/17 ISMS Team Chouhan- AVP CISO
/136 on Physical access to
IT Infrastructure
critical areas
Annual Review:
Added Sec 4.4.6 to include Sanjay
DCR/ISMS
4.3 31/07/20 process pertaining to ISMS Team Chouhan- Head CISO
/145
privilege user access IT Infrastructure
management at DB level.
DCR/ISMS Annual Review: Sanjay Chouhan
4.4 31/07/22 ISMS Team CISO
/151 Sec 4.3.2 updated - Head IT Infra

Notes:
 Only controlled hardcopies of the document shall have signatures on them.

3
 This is an internal document. Unauthorized access or copying is prohibited.
 Uncontrolled when printed unless signed by approving authority.

© R Systems International Limited 2022

4
 Table of Contents

1. Overview ...................................................................................................... 6
2. Objective ...................................................................................................... 6
3. Scope ........................................................................................................... 6
4. Policy ........................................................................................................... 6
4.1 Business Requirement for Access Control ................................................... 6
4.1.1 Access Control Policy ............................................................................... 6
4.1.2 Access to Networks and Network Services ............................................... 6
4.2 User Access Management ........................................................................... 7
4.2.1 User Registration and De- Registration .................................................... 7
4.2.2 User identification and authentication ....................................................... 7
4.2.3 User Access Provisioning ......................................................................... 7
4.2.4 Management of Privileged Access Rights ................................................. 7
4.2.5 Management of Secret Authentication Information of Users ..................... 7
4.2.6 Review of User Access Rights .................................................................. 7
4.2.7 Removal of Adjustment of Access Rights ................................................. 8
4.3 User Responsibility ...................................................................................... 8
4.3.1 Use of Secret Authenticated Information .................................................. 8
4.3.2 Clear Desk and Clear Screen Policy ......................................................... 8
4.4 System, Application and Database Access Control ..................................... 9
4.4.1 Information Access Restriction .................................................................. 9
4.4.2 Secure log-on procedures ......................................................................... 9
4.4.3 Password management system ................................................................ 9
4.4.4 Use of Privileged Utility Program ............................................................ 10
4.4.5 Access Control to Program Source Code ............................................... 10
4.4.6 Access Control to Database.................................................................... 10

5
©R Systems International Ltd Internal ISPolicy030

Access Control Policy

1. Overview

This document outlines management’s intent to provide access to information,

information processing facilities and business processes on Need-to-Know and Need-to-
Do basis & identifies organization policies, procedures and practices to maintain a robust
access control environment to ensure required information security at RSI.

2. Objective

 To control access to information according to business requirements;

 To prevent unauthorized access to information systems including IT systems;

3. Scope

The scope of this policy includes all employees, customers and third party personnel at
RSI.

4. Policy

4.1 Business Requirement for Access Control

4.1.1 Access Control Policy

Access to information assets shall be controlled, reviewed and monitored, based on
business and security requirements. Logical access controls shall be deployed with
the principle of ‘deny all unless explicitly permitted’ to protect information from
unauthorized access. Customers, third party vendors/ service providers shall be
provided appropriate access to the RSI’s information assets on the basis of
contractual agreement/business need.
Information access controls shall be implemented to meet relevant legislation,
contractual and statutory requirements.

External devices (CD drive, USB ports, Floppy drive etc.) shall be disabled from
individual desktops used by employees unless explicitly permitted.

4.1.2 Access to Networks and Network Services

Users shall only be provided with access to the network and network services that
they have been specifically authorized to use.
Authorization matrix shall be built to ensure that the users are provided access to the
network services that have been specifically authorized.
Business applications shall be accessible on the network only through approved
network services and segments.
Physical Access to critical IT Infrastructure components (Network and Server) is
controlled via Bio-Metric.

Version No:4.4 6 Page 6 of 10 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy030

4.2 User Access Management

4.2.1 User Registration and De- Registration

There shall be a formal user registration and de-registration procedure, which shall
be integral to the HR joining and exit processes, for providing and revoking end
users access to business application systems, information systems, and data.
Users shall be registered only after receiving an authorized approval from HR..
Unique user IDs shall be assigned to each user to ensure accountability of individual
users for their activities.
Generic accounts on domain and critical application operating system and database
are not permitted by default and explicit approval along with business justification is
required by HOD / PM.

All the inactive users will be disabled within at least every 90 days of inactivity by IT
Systems Team.

4.2.2 User identification and authentication

All users shall have unique user IDs. Nomenclature used for user IDs shall be such
that it does not give any indication of the user’s privilege level. Default system IDs
providing indication of the privileges shall be renamed appropriately. Access to all
the systems on the company’s network shall require authentication.

4.2.3 User Access Provisioning

Allocation of access privileges shall be restricted and controlled through a formal
authorization process for all user types to all systems and services. Privilege shall be
assigned to the personnel on a ‘need-to-know’ basis and a ‘need-to-do’ (minimum
requirement for the functional role) basis. User access provisioning apart from user
registration is given by IT team after approval from the Project / process head.
Authorization record of all privileges shall be maintained. Privileges shall be revoked
if no longer required.

4.2.4 Management of Privileged Access Rights

The allocation and use of privileged access rights shall be restricted and controlled
basis the business requirement.

4.2.5 Management of Secret Authentication Information of Users

An initial temporary password shall be provided to the users and they shall be forced
to change it on first logon. In application systems, where this functionality of force
changing the password is not possible, the user shall be instructed to change the
password manually.
Password standard shall be defined for operating systems, databases, applications,
network equipment deployed in IT and technical functions.
In certain legacy or other systems where it is technically not feasible to implement
robust password policy, manual controls shall be implemented, which shall be
reviewed and approved by CISO/HOD IT Infrastructure. Reference Password Policy
ISPolicy042

4.2.6 Review of User Access Rights

Access rights of users shall be reviewed at time of change in employment &
responsibilities or internal transfer. Networking team shall review the privileges granted

Version No:4.4 7 Page 7 of 10 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy030

to users with the respective PAM/HOD every quarter. PAM/HOD shall validate the
privilege required by an individual, based on which additional privileges shall be revoked.

4.2.7 Removal of Adjustment of Access Rights

The access rights of all employees and external party users to information and
information processing facilities shall be removed upon termination of their employment,
contract or agreement.

4.3 User Responsibility

4.3.1 Use of Secret Authenticated Information

Users shall be required to follow good security practices in the selection and use of
passwords, which shall include but not be limited to:

 keeping passwords confidential;

 change passwords whenever there is any indication of possible system or password
compromise;
 Select quality passwords; and
 Change temporary passwords at the first log-on.
 For more details please refer to password guidelines (i.e. section 5) in End User
Guidelines.
 For the PCI DSS compliant processes and projects last 6 passwords are not allowed
to be used with minimum age of one day.
 Any account gets locked out after 6 attempts and the automatic unlock happens after
an hour of the lock out.

4.3.2 Clear Desk and Clear Screen Policy

Users shall be required to follow Clear Desk and Clear Screen Policy, which shall
include but not limited to:
 User’s systems must be logged off by the users when their computers are unattended
at workspace.
 Every system should have a screen saver password and automatic account logout
enabled.
 RSI's confidential information must be removed from the desk and stored in suitable
secured cabinets when the workstation is unattended and at the end of the workday.
 White boards and flipcharts in meeting rooms shall be cleared after the discussions.
 Keys used to access confidential information must not be left at an unattended
environment.
 Laptops must be either locked with a locking cable or locked away in a drawer or
cabinet when the work area is unattended or at the end of the workday.
 All active application sessions must be logged off and terminated upon the completion
of the work.
 Passwords must not be posted on or under a computer or in any other accessible
location.
 Documents containing RSI information must be immediately removed from printers.

Version No:4.4 8 Page 8 of 10 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy030

 Printouts must be cleared from printers immediately by the employee printing the
document
 Any uncollected printouts at RSI should be collected by the
Administration/Physical Security Department and shredded at the end of
the day.

4.4 System, Application and Database Access Control

4.4.1 Information Access Restriction

Access to any information, information processing facility, server rooms which
contains confidential client information/data, codes and builds shall be restricted and
controlled through physical and logical access controls..Access to application
systems shall be restricted to users who require them to fulfill their business
operations and shall be in line with the access control policy.
The owner of the information resources and business application shall review the
access rights based on criticality of information or at least once in six months.

Physical access to the development floor, information processing floor, doors and
premises main gate entry shall be controlled by HID proximity ID cards. These cards
shall be issued on the basis of business needs.

Physical access to critical areas like data center is controlled using Bio Metric
access.

4.4.2 Secure log-on procedures

Access to systems and applications shall be controlled by secure logon procedure
which shall disclose a minimum amount of information about the system.
A logon banner shall appear on all information systems prior to login on to the
system stating that the information system should only be accessed by authorized
users and un-authorized access is prohibited, monitored and liable for punitive
actions.

The logon procedure shall not identify the system or application until the logon
process has been successfully completed.
The system shall validate the logon information only on completion of all input data.
After a rejected logon attempt, the logon procedures shall terminate.
Unsuccessful logon attempts shall be logged, monitored, and investigated for critical
systems.

The user session shall time-out in the event of user being inactive for a pre-defined
period of time (15 minutes) to prevent any unauthorized usage of active sessions.
Terminal lock shall be configured for all the terminals connected to critical systems.
The time-out shall clear and lock the terminal screen.
Wherever required, information assets shall have defined time slots for access and
connectivity.
.

4.4.3 Password management system

Systems for managing passwords shall be interactive and shall ensure quality
passwords. The password management system shall:

Version No:4.4 9 Page 9 of 10 Release Date: 31/07/22

©R Systems International Ltd Internal ISPolicy030

 Enforce the use of individual user IDs and passwords to maintain accountability;
 Allow users to select and change their own passwords and include a confirmation
procedure to allow for input errors;
 Enforce password changes;
 Force users to change temporary passwords at the first log-on; and
 Not display passwords on the screen when being entered.
 All users should change their passwords after every 42 days.

4.4.4 Use of Privileged Utility Program

Access to the operating system commands and system utilities shall be restricted to
authorized personnel for system support administration and management functions.
The use of these privileged utility programs shall be strictly controlled and access
shall only be given for business purpose.

Redundant system utilities and software, including compiler programs shall be

removed.
Latest service packs and patches shall be applied after performing a change
management and adequate testing to prevent the exploitation of the known
vulnerabilities of the system utilities.

4.4.5 Access Control to Program Source Code

Access to program source code shall be restricted. The following shall be considered to
control access to program source libraries in order to reduce the potential for corruption
of computer programs:
 Where possible, program source libraries shall not be held in operational systems;
 The program source code and the program source libraries shall be managed
according to established procedures
(Refer to: Configuration Management Procedure Qproc015)
 Support personnel shall not have unrestricted access to program source libraries;
 The updating of program source libraries and associated items, and the issuing of
program sources to programmers shall only be performed after appropriate
authorization has been received;
 An audit log shall be maintained of all access to program source libraries;

4.4.6 Access Control to Database

Access to Databases shall be restricted. Administrative access rights for database is
restricted to IT Database team. Administrative access to database is provided only upon
approval from Head IT-Infrastructure Team.

Version No:4.4 10 Page 10 of 10 Release Date: 31/07/22