ISPolicy 030
ISPolicy 030
ISPolicy 030
C-40, Sector 59
Noida 201 307
(U.P.), India
http://www.rsystems.com/
Version No.
No.: : 1.0
4.4
Released on
on: : 22/05/06
31/07/22
1
Review History
2
DOCUMENT CONTROL SHEET
Document History
Appr
Ver. Release Authored/Re
DCR Ref. Description of Change Reviewed By oved
No Date vised By
By
1.0 9/6/2006 DCR/002 Final release QA Group ISMS Forum CISO
DCR/ISMS
2.0 1/6/2009 ISMS Periodic Review QAG ISMS Forum CISO
/057
DCR/ISMS
2.1 4/3/2011 Periodic Review OAG – ISMS Prabhas Dash CISO
/082
DCR/ISMS
2.2 9/8/2012 Periodic Review QAG-ISMS ISMS Forum CISO
/105
Updates in Section 4.2.1
DCR/ISMS
2.3 9/5/2013 as per PCI DSS QAG-ISMS ISMS Forum CISO
/107
requirements
DCR/ISMS
2.5 1/1/2014 RSI Logo Updated ISMS Team Manager QAG CISO
/112
DCR/ISMS Section 4.2.1 User
3.0 7/8/2014 ISMS Team Manager QAG CISO
/117 Registration updated
Document revised and
DCR/ISMS
4.0 15/06/15 updated as per ISO ISMS Team Manager QAG CISO
/122
27001:2013
Sanjay
DCR/ISMS Annual Review- Section
4.1 22/06/16 ISMS Team Chouhan- AVP CISO
/132 4.2 updated
IT Infrastructure
Annual Review: Section
Sanjay
DCR/ISMS 4.1.2, 4.1.2, 4.4.1 updated
4.2 18/07/17 ISMS Team Chouhan- AVP CISO
/136 on Physical access to
IT Infrastructure
critical areas
Annual Review:
Added Sec 4.4.6 to include Sanjay
DCR/ISMS
4.3 31/07/20 process pertaining to ISMS Team Chouhan- Head CISO
/145
privilege user access IT Infrastructure
management at DB level.
DCR/ISMS Annual Review: Sanjay Chouhan
4.4 31/07/22 ISMS Team CISO
/151 Sec 4.3.2 updated - Head IT Infra
Notes:
Only controlled hardcopies of the document shall have signatures on them.
3
This is an internal document. Unauthorized access or copying is prohibited.
Uncontrolled when printed unless signed by approving authority.
4
Table of Contents
1. Overview ...................................................................................................... 6
2. Objective ...................................................................................................... 6
3. Scope ........................................................................................................... 6
4. Policy ........................................................................................................... 6
4.1 Business Requirement for Access Control ................................................... 6
4.1.1 Access Control Policy ............................................................................... 6
4.1.2 Access to Networks and Network Services ............................................... 6
4.2 User Access Management ........................................................................... 7
4.2.1 User Registration and De- Registration .................................................... 7
4.2.2 User identification and authentication ....................................................... 7
4.2.3 User Access Provisioning ......................................................................... 7
4.2.4 Management of Privileged Access Rights ................................................. 7
4.2.5 Management of Secret Authentication Information of Users ..................... 7
4.2.6 Review of User Access Rights .................................................................. 7
4.2.7 Removal of Adjustment of Access Rights ................................................. 8
4.3 User Responsibility ...................................................................................... 8
4.3.1 Use of Secret Authenticated Information .................................................. 8
4.3.2 Clear Desk and Clear Screen Policy ......................................................... 8
4.4 System, Application and Database Access Control ..................................... 9
4.4.1 Information Access Restriction .................................................................. 9
4.4.2 Secure log-on procedures ......................................................................... 9
4.4.3 Password management system ................................................................ 9
4.4.4 Use of Privileged Utility Program ............................................................ 10
4.4.5 Access Control to Program Source Code ............................................... 10
4.4.6 Access Control to Database.................................................................... 10
5
©R Systems International Ltd Internal ISPolicy030
1. Overview
2. Objective
3. Scope
The scope of this policy includes all employees, customers and third party personnel at
RSI.
4. Policy
External devices (CD drive, USB ports, Floppy drive etc.) shall be disabled from
individual desktops used by employees unless explicitly permitted.
All the inactive users will be disabled within at least every 90 days of inactivity by IT
Systems Team.
to users with the respective PAM/HOD every quarter. PAM/HOD shall validate the
privilege required by an individual, based on which additional privileges shall be revoked.
Printouts must be cleared from printers immediately by the employee printing the
document
Any uncollected printouts at RSI should be collected by the
Administration/Physical Security Department and shredded at the end of
the day.
Physical access to the development floor, information processing floor, doors and
premises main gate entry shall be controlled by HID proximity ID cards. These cards
shall be issued on the basis of business needs.
Physical access to critical areas like data center is controlled using Bio Metric
access.
The logon procedure shall not identify the system or application until the logon
process has been successfully completed.
The system shall validate the logon information only on completion of all input data.
After a rejected logon attempt, the logon procedures shall terminate.
Unsuccessful logon attempts shall be logged, monitored, and investigated for critical
systems.
The user session shall time-out in the event of user being inactive for a pre-defined
period of time (15 minutes) to prevent any unauthorized usage of active sessions.
Terminal lock shall be configured for all the terminals connected to critical systems.
The time-out shall clear and lock the terminal screen.
Wherever required, information assets shall have defined time slots for access and
connectivity.
.
Enforce the use of individual user IDs and passwords to maintain accountability;
Allow users to select and change their own passwords and include a confirmation
procedure to allow for input errors;
Enforce password changes;
Force users to change temporary passwords at the first log-on; and
Not display passwords on the screen when being entered.
All users should change their passwords after every 42 days.