Upload
truongtu
View
217
Download
5
Embed Size (px)
Citation preview
LONDON BOROUGH OF BARNET
INFORMATION SYSTEMS ACCESS POLICY
Document Number:
Author: XXXXXX
Owner: London Borough of Barnet Information Manager
Client: London Borough of Barnet
Release Type: Issued V2.0
Release Date: 22nd
July 2014
Document History
ISSUE DATE PURPOSE AUTHOR
0.1 18/03/2014 Draft Created XXXXXX
0.2 28/05/2014 Revised XXXXXX
0.3 04/06/2014 Further editing XXXXXX
0.4 05/06/2014 Minor editorial changes XXXXXX
0.5 12/06/2014 Revised XXXXXX
0.5.1 13/06/2014 Minor revisions XXXXXX
0.6 16/06/2014 Revised XXXXXX
0.7 17/06/2014 Further editing XXXXXX
0.8 20/06/2014 Final Draft XXXXXX
1.0 20/06/2014 Issued
Final changes accepted and put forward for sign-off to CIMB
XXXXXX
2.0 22/07/2014 Barnet Logo added to pages XXXXXX
Associated Documents
This document is associated with the following other documents:
TITLE LOCATION DATE
Information Security Policy
Acceptable Use Policy
Data Protection Policy
Password Policy
Security Incident Management Policy
Shared network drive owners
Approval Groups
Wisdom (EDRM) Service Records Managers
Table of Contents
1 Purpose of the Document ........................................................................................ 1
2 Governance ............................................................................................................... 1
2.1 Overview .................................................................................................................................. 1
3 User Network Accounts ........................................................................................... 1
3.1 Overview .................................................................................................................................. 1
3.2 New Users/Changes: Barnet Council & The Barnet Group ...................................................... 1
3.3 New Users/Changes CAPITA .................................................................................................. 2
3.4 Third Party Access ................................................................................................................... 2
3.5 Leavers .................................................................................................................................... 2
3.6 Checks ..................................................................................................................................... 3
4 E-Mail systems .......................................................................................................... 3
4.1 Overview .................................................................................................................................. 3
4.2 Controls .................................................................................................................................... 3
5 Shared Drives............................................................................................................ 3
5.1 Access Controls ....................................................................................................................... 3
5.2 Controls Check ......................................................................................................................... 3
6 Access to Line of Business Systems ..................................................................... 4
7 Social Care and Education Systems ...................................................................... 4
7.1 Swift Overview ......................................................................................................................... 4
7.2 Swift Control Process ............................................................................................................... 4
7.3 Granting of appropriate access rights. ..................................................................................... 4
7.4 Resetting passwords ................................................................................................................ 5
7.5 Revocation of access rights ..................................................................................................... 5
7.6 Audit/Check .............................................................................................................................. 5
7.7 ICS Overview ........................................................................................................................... 5
7.8 ICS Control Process ................................................................................................................. 5
7.9 Granting of appropriate access rights. ..................................................................................... 5
7.10 Password resets ....................................................................................................................... 5
7.11 Revocation of access rights ..................................................................................................... 6
7.12 ICS Audit/Check ....................................................................................................................... 6
7.13 Tribal Overview ........................................................................................................................ 6
7.14 Tribal Control Process .............................................................................................................. 6
7.15 Granting of appropriate access rights ...................................................................................... 6
7.16 Password Resets ..................................................................................................................... 6
7.17 Revocation of access rights ..................................................................................................... 6
7.18 Tribal Control Check ................................................................................................................ 6
8 Business Objects (BOXI) ......................................................................................... 6
8.1 Business Objects Overview ...................................................................................................... 6
8.2 Business Objects Control Process ........................................................................................... 7
8.3 Business Objects Control Check .............................................................................................. 7
9 Finance & Procurement Systems ........................................................................... 7
9.1 Finance & Procurement System Overview ............................................................................... 7
9.2 Finance & Procurement Systems Control Process .................................................................. 7
9.3 Finance & Procurement System Controls Check ..................................................................... 7
10 HR Systems ............................................................................................................... 7
10.1 HR System overview ................................................................................................................ 7
10.2 HR System Control Process ..................................................................................................... 8
10.3 HR system controls check ........................................................................................................ 8
11 Barnet Data Warehouse ........................................................................................... 8
11.1 Data Warehouse systems Overview ........................................................................................ 8
11.2 Data Warehouse Control Process ............................................................................................ 8
11.3 Data Warehouse Audit/Check .................................................................................................. 8
12 CRM System (Lagan) ................................................................................................ 9
12.1 CRM System Overview ............................................................................................................ 9
12.2 CRM Systems Control Process ................................................................................................ 9
12.3 CRM System Controls Check ................................................................................................... 9
13 WISDOM (EDRMS) .................................................................................................... 9
13.1 EDRMS Overview .................................................................................................................... 9
13.2 EDRMS Controls ...................................................................................................................... 9
13.3 EDRMS Password Resets ....................................................................................................... 9
13.4 EDRMS Controls Check ......................................................................................................... 10
14 Highways and Planning systems .......................................................................... 10
14.1 Exor Overview ........................................................................................................................ 10
14.2 Exor Controls ......................................................................................................................... 10
14.3 Exor Password Resets ........................................................................................................... 10
14.4 Exor Controls Check .............................................................................................................. 10
14.5 Acolaid Overview ................................................................................................................... 10
14.6 Acolaid Controls ..................................................................................................................... 10
14.7 Acolaid password Reset ......................................................................................................... 11
14.8 Acolaid Controls Check .......................................................................................................... 11
15 Remote Access Provision ..................................................................................... 11
15.1 Overview ................................................................................................................................ 11
15.2 Controls Process .................................................................................................................... 11
15.3 Controls Check ....................................................................................................................... 11
16 Operating system access ...................................................................................... 12
16.1 Overview ................................................................................................................................ 12
16.2 Controls Process .................................................................................................................... 12
16.3 Controls Check ....................................................................................................................... 12
17 Policy Exception Process ...................................................................................... 12
18 Security Breaches .................................................................................................. 12
19 Auditing Schedule .................................................................................................. 12
Document Reference .......................................................................................................... 14
1
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
1 Purpose of the Document
The Purpose of this Policy is to define how user access to networks and systems are administered in the London Borough of Barnet (LBB), and to provide specific processes where access is managed by CAPITA CSG. It covers how user rights are granted, appropriately managed and revoked.
Access rights should be granted based on least privilege necessary to perform the job role, to assist in preserving data security. Access controls are critical to the protection of information entrusted to CAPITA by the LBB. Through restricting access to information on a need to know basis, these measures will enable CAPITA to provide assurance to LBB that only authorised users have access to required information whether at a physical, electronic, application, network or operating system level. This document outlines the minimum requirements for access control within the CAPITA/LBB account.
2 Governance
2.1 Overview
The approval group for this policy is the Security Forum, which is chaired by the Senior Information Risk Owner (SIRO) for LBB. The Security Forum is a working group of the Customer and Information Management Board, which is chaired by the council’s Chief Operating Officer (COO).
The ICT Team maintain the following lists, which the Security Forum review and approve quarterly:
Application register
Shared drive control matrix
Approval Groups (including delivery units and partners)
Wisdom (EDRM) records managers
IT control audit results (in line with this policy) are presented to the Security Forum as required.
3 User Network Accounts
3.1 Overview
Network access is managed with Active Directory (AD) which determines access rights and what actions users are able to perform on the network. Processes that result in changes to AD are detailed below.
3.2 New Users/Changes: Barnet Council & The Barnet Group
On joining LBB a user will be set up with network access on confirmation of employment by the HR department. The process is initiated by the HR department who will inform the IS service desk daily of any new user account required and provide the required detail.
Requests from HR will be treated as an authorised request to enable the account to be created which will be logged and recorded via a service request.
Some access to systems and data will be pre-approved as part of the New Starter process. These “Standard Changes” include provision of a user e-mail account, user Home drive, access to fixed telephony, and the default shared drives where agreed. The process will include the creation of a
2
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
service desk account for the user. On setting up the account a one-time password will be used and the user will be forced to change this at first log on in accordance with the password policy.
This process applies for all users, including permanent staff, contractors, agency staff and interims.
Changes to employment resulting in movement between teams or delivery units will be notified to HR by the relevant line manager who will in turn notify the IS service desk. Service desk will generate service requests to control any resulting changes required.
All mover requests must be treated in the same way as a leaver or new user registration. Access to all systems must be removed and only those drives and systems appropriate to the new role added to the user profile.
In the case of long term sickness or maternity leave, network access will be suspended on notification by HR and reinstated on return to work
3.3 New Users/Changes CAPITA
For CAPITA Employees where detail is not available from the Barnet HR service, individual requests for new users must be from authorised managers shown in the CAPITA Approvals Group detailing all the facilities required. A form authorised by the appropriate member of the Approval Group will be sent to the IS Service Desk to progress a request for a new starter.
It is the responsibility of the employing manager to inform the ICT Service promptly of any changes to access/system requirements.
In the case of long term sickness or maternity leave, network access will be suspended on notification by the appropriate Re / CAPITA manager and reinstated on return to work.
3.4 Third Party Access
Network accounts required by 3rd
parties for application support must be requested by system owners by a service request. Such accounts will only have the privileges required to support the application and will have no additional facilities such as e-mail, user home drives etc., unless authorised by exception.
3.5 Leavers
On leaving LBB a user network access account must be closed. This will remove right to access all facilities and information on the Barnet network. For Barnet Council and The Barnet Group staff, the leaving notification is initiated by HR who will provide the IS service desk with the details of the leaver. This request will be logged and recorded via a service request, and the account will be disabled at the appropriate date. The AD account will be set to automatically expire at the end of the last day of employment.
This applies whether the user is a permanent employee or a contractor on a temporary or part time contract with LBB.
For CAPITA Employees who are accessing the LBB network in delivery of the contract services, the authorising manager shall give notice to the ICT service to disable the AD account.
In an emergency a manager may request an immediate suspension of a user account which will remove right to access all facilities and information on the LBB network.
User home drives will be retained for 6 Months from departure date and then deleted unless otherwise instructed.
3
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
3.6 Controls Checks
Checks will be run weekly by CSG ICT and any user account that has not been accessed for 60 days will be investigated and if appropriate disabled.
A list of users who have access to AD will be reviewed by the LBB Approval Group to validate that processes are maintaining an appropriate set of users in Active Directory.
4 E-Mail systems
4.1 Overview
Standard E-mail accounts are provided as part of the new starter process. In addition to the standard E-mail system, LBB also has access to GCSx mail systems used for conducting secure communication with the police, NHS and government departments.
GCSx accounts can be provided through a service request. Users of GCSx mail will be required to accept an additional set of terms and conditions as part of the setup process.
To send secure communications to external partners who do not have access to GCSx mail, the Message Labs “Encrypt and Send” service must be used. Message Labs secure mail can be provided through a service request.
4.2 Controls
On leaving LBB a user network account will be closed, which includes access to E-mail. This applies whether the user is a permanent employee or a contractor on a temporary or part time contract with the London Borough of Barnet.
E-mail accounts will be retained for 6 months from departure date and then deleted unless otherwise instructed.
5 Shared Drives
5.1 Access Controls
Standard access to the established delivery unit network shared drives is allocated as part of the new starter process. Additional access for other shared drives will be requested by a service request. The request requires authorisation by the Approval Group associated with that network drive.
For CAPITA Employees shared drives access is requested by individual requests approved by the Approval Group for the specific drive requested.
The Shared Drive Control Matrix identifies shared drives, the business owners and the Approval Group required to grant access where requested. It also identifies what organisational information triggers the drive to be allocated as a standard change and part of the starter process.
5.2 Controls Check
A list of Shared drives and the associated owners (Approval group) will be held by CSG ICT and reviewed quarterly at the Security Forum.
A 6 monthly review of user access to a network share will take place by the owner of that share to ensure that user access is still appropriate for business need. CSG ICT will trigger
4
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
this review, and the results of the review will be presented to the Security Forum and appropriate changes to access carried out
6 Access to Line of Business Systems
Line of Business systems are specialist systems used for business purposes within the organisation. A prerequisite of access to any business system is that an active LBB network (AD) account exists for the user. Line Managers, Data Owners, Approval Groups and IT must satisfy themselves as far as possible that user access privileges and access requests are appropriately allocated and do not compromise any defined ‘Segregation of Duty’ requirements. Any apparent conflicting requests for access must be challenged.
The following basic checks must be undertaken to ensure that conflicting requests are identified and rejected:
Permission Enforced Controls – Specialist Application Support Teams must use the contents of the Service request and any reports available from within the system itself to confirm to the best of their ability that the individual is not being granted conflicting permissions (e.g. being granted access to approve invoices as well as having access to raise them)
Segregation of Duty Across Application – Specialist Application Support Teams must attempt to confirm that the individual is not being granted conflicting access across multiple systems if any such cross-application Segregation of Duty rules have been specified. This may involve liaising with the administrators and/or the Business Operational Managers of other systems.
IT Systems Development – Specialist Application Support Teams must attempt to confirm that the individual is not a developer being granted access to production environments, or an operational user being given access to development environments.
For access to any systems not specifically mentioned in this document please refer to the CAPITA ICT department for advice
7 Social Care and Education Systems
7.1 Swift Overview
The Swift social care systems used by the London Borough of Barnet are used in the Adults and Family Services Delivery Units. The systems are however totally separate and are individually managed. The systems contain sensitive personal information and data must be protected accordingly.
7.2 Swift Control Process
Access to SWIFT is via a service request approved by the relevant Approval Group. Both Adults and Family Services follow the same process but have separate approval groups. Staff are removed from SWIFT via instruction from the respective Approval Group.
7.3 Granting of appropriate access rights
The level of access to be granted to a user is defined by the role allocation. This is requested by the Approval Group member in the service request.
5
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
Changes to allocated roles are requested by the Approval Group member via a service request call. In certain cases access to client records needs to be further restricted. In such cases an Approval Group member in the appropriate service will complete a “restricted client” form forwarded to the relevant ICT support team for action.
7.4 Resetting passwords
Password resets in Swift systems are processed via a service request. A temporary password to enable access is communicated via email to the users Barnet e-mail account which is changed at initial system login
7.5 Revocation of access rights
Requests to revoke access rights in an emergency can be initiated by Approval Group members by logging a service request. On leaving the users’ network accounts are disabled. Closure of the network account will suspend Swift access
7.6 Audit/Check
An audit of users and access rights is conducted quarterly by the relevant Approval Groups, based on the structure information circulated by the business and user rights are amended accordingly by the CAPITA Swift support team. Evidence of the quarterly review of users is held by the relevant Approval Group.
7.7 ICS Overview
The ICS system in LBB is used in the Family Services Delivery Unit. . The system contains sensitive personal information and data must be protected accordingly.
Service requests for ICS access are authorised by the Family Service Approval Group.
7.8 ICS Control Process
Users accessing ICS are first required to be set up in Children’s Swift. Once the user is added integration will transfer the user to the ICS system where the user profiles (Roles) indicated by the business in the helpdesk call can be added.
7.9 Granting of appropriate access rights
ICS user access rights are advised by the Children’s Service Approval Group in the Service desk call requesting the user setup. The initial password is allocated by the CAPITA support team and the user is advised by Barnet e- mail. .The password is changed by the user at initial log on to the system. Any subsequent changes are controlled by further service requests In certain cases access to records needs to be further restricted. In such cases a member of the Family Service ICS Approval Group will log a call with a completed ‘restricted access request’ which would be forwarded to the CAPITA support teams for action. Records of these requests are maintained by the delivery unit themselves outside of the helpdesk system to maintain confidentiality.
7.10 Password resets
Password resets in ICS systems are processed via a service request. A temporary password to enable access is communicated via email to the users Barnet e-mail account which is changed at initial system login
6
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
7.11 Revocation of access rights
Access rights can be revoked in an emergency by logging service request call. On leaving the users’ network accounts are disabled. Closure of the network account will suspend access and the 3 month audit process in the Swift system is used to correct any errors.
7.12 ICS Audit/Check
An audit of users and access rights is conducted every 3 months by the Family Services Delivery Unit
7.13 Tribal Overview
The Tribal systems in LBB are used in the Family Services Delivery Unit for managing early years and educational data. The system contains sensitive personal information and data must be protected accordingly.
Service requests for Tribal access are authorised by the Family Service Approval Group.
7.14 Tribal Control Process
Users requesting access to Tribal systems contact the Family Service Approval Group who will log a service request for action. The required access software will then be loaded on the user’s computer and the user added to the AD group to enable access by CSG ICT. The service desk call is closed after this is done, and the responsibility for further actions passed back to the Family Service Approval Group
7.15 Granting of appropriate access rights
The Tribal user profiles (roles) are allocated and administered by the Family Service Approval Group. The allocated roles give access to transactions within the system
7.16 Password Resets
Passwords are synchronised with the standard Barnet network (AD )passwords so individual password maintenance within the Tribal application is not required
7.17 Revocation of access rights
On leaving the users’ accounts are disabled by the Family Service Approval Group. Closure of the LBB network account will automatically suspend access to Tribal.
7.18 Tribal Control Check
An audit of users and access rights is conducted every 6 months by the Family Services Delivery Unit
8 Business Objects (BOXI)
8.1 Business Objects Overview
Business Objects reporting software is run in conjunction with the Swift and ICS Care systems to produce a range of reports for business use. Reports are developed internally by Barnet staff. Roles giving access to reports are allocated by the Adults and Children’s approval groups
7
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
8.2 Business Objects Control Process
Access to Business Objects is granted via a service request. The access to the solution is administered via a service request from an Approval Group, which is passed to the CSG IS support team for action. They will pick up the call and process it appropriately. The call must request the required role to be allocated
On setup the Approval Group will be mailed confirmation that the user has been set up as required. The requesting Approval Group will be sent a onetime password for the user which the user will be required to change at the user training given before Business Objects access is granted
Users where access is being revoked would be requested via a ‘service request. Closure of the Barnet network account will automatically suspend access to the Data Warehouse.
8.3 Business Objects Control Check
Access rights can be revoked in an emergency by logging a service request. On leaving the users’ accounts are disabled and the 3 month audit process in the Swift system is used to correct any errors.
9 Finance & Procurement Systems
9.1 Finance & Procurement System Overview
Finance and Procurement systems are used to control and report on finance and manage procurement activities in LBB. The general financial system in use within the authority is Integra; the Income system is Axis and access is provided to authorised users. Roles giving access to transactions are maintained by Finance
9.2 Finance & Procurement Systems Control Process
All access to the finance systems within LBB are controlled by the Finance Approval Group who set up users and allocate business roles within the systems. LBB users requesting access to financial systems must log a service call requesting access which will be forward to the Approval Group for authorisation and action.
The Finance Approval Group will action the request and feedback to the service desk so the call can be appropriately completed
9.3 Finance & Procurement System Controls Check
Managers are provided with a report to check the appropriate staff are setup against their cost centre. It is the responsibility of each Cost Centre Manager to ensure that the correct staff have access to their cost centre and report any errors to the Finance Approval Group via a service request for correction
On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to financial systems
10 HR Systems
10.1 HR System overview
The CAPITA core HR system is used for the administration of Barnet personnel and payroll.
8
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
It is administered from the CAPITA location in Belfast and access for LBB employees is granted via an employee portal. The HR system is accessed to check personnel details, book leave and access payslips etc. It is also used by managers to notify new starters/ movers / leavers and to approve tasks via the integrated workflow
10.2 HR System Control Process
A Barnet manager uses the secure portal to request New Users / Movers and Leavers activities in the HR department HR will check the manager’s authority against the Barnet organisation charts and if the authorisation is correct will action requests in the HR system. When requests are actioned information is issued to ICT via the service desk to enable the New Users / Movers and Leavers process.
Employee access to the portal is granted when a user is set up in the HR system as a Barnet employee. On user setup a onetime password will be allocated which is changed at first use. If a user subsequently requires a password reset for the HR portal. This is achieved by phoning the CAPITA HR Helpdesk desk in Belfast on (9) 0330 606 444. They will then be taken through the security process to enable a new password to be issued
10.3 HR system controls check
On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to the HR portal
11 Barnet Data Warehouse
11.1 Data Warehouse systems Overview
The Data Warehouse is a system used by the CAPITA Insight team to support its analytical work for the Council. It is used predominantly by the Insight team located at LBB. The system accepts feeds from a number of source systems within the Council (e.g. Integra, Lagan and Electoral Roll) to generate the “single view of the customer”, a consolidated view of Customers and Addresses within the borough. It is also used to provide a number of standard analytical views for use by Insight. The solution includes a Cognos reporting solution that is used by Insight to deliver project-specific reports and analytics to members.
11.2 Data Warehouse Control Process
Access is limited to members of the CAPITA CSG Insight Team who form the Approval Group The access to the solution is administered via a service request which will need to be passed to the ETL / Cognos support team. They will pick up the call and process it appropriately
When the call is completed the service desk team will be mailed confirmation that the user has been set up. Requests to remove access should be made via a service request. Closure of the LBB network account will automatically suspend access to the Data Warehouse.
These activities are controlled by local CAPITA procedures
11.3 Data Warehouse Audit/Check
An audit log is in place alongside the access procedure which will be kept by the CAPITA Data Warehouse support team and will be available when required.
9
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
12 CRM System (Lagan)
12.1 CRM System Overview
Lagan is the primary Customer Relationship Management (CRM) system used by LBB to deliver services to residents. It is used both in LBB and in the CAPITA Local Government Services Call Centre in Coventry where all user administration is undertaken.
12.2 CRM Systems Control Process
The access to Lagan is administered via a service request which will be addressed by the CAPITA Channel Development Team (Approval Group) in Coventry who will pick up the request and process it appropriately. On setup the users business e-mail account will be e-mailed the log in details required to access the system. Request to revoke user access should be requested via a service request. Closure of the LBB network account will automatically suspend access to the Lagan CRM system
These activities are controlled by CAPTIA local Coventry procedures
12.3 CRM System Controls Check
An audit log is in place alongside the new user/revocation procedure which will be kept in the Coventry Location and will be available when required
13 WISDOM (EDRMS)
13.1 EDRMS Overview
The Wisdom system is the Electronic Document & Records Management System (EDRMS) used by the council for storage of documents relating to Adults social care, Children’s Services, HR, Customer Services, Accounts receivable, and the Barnet Programme office. The Barnet / CAPITA joint venture RE (Environmental Health), also access the application and Barnet Homes store housing needs documentation.
13.2 EDRMS Controls
The access to records in the EDRMS is controlled by file plans which are administered by the ICT team. Changes to high level file plans are by service requests. The file plans for each service area are separate and user access is granted to a particular file plan at a predetermined level by the designated business service records managers.
When access needs to be restricted down to a specific folder level additional security is available. This is done by Capita CSG ICT creating a new team with access to the restricted folder via a ‘Service Now’ call and the team membership allocated by the Service Records Manager
A table of the authorised Service Record Managers will be held by CSG ICT and reviewed quarterly at the Security Forum. Business service records managers are responsible for ensuring the access granted is appropriate.
13.3 EDRMS Password Resets
Passwords are synchronised with the standard Barnet network (AD )passwords so individual password maintenance within the EDRMS application is not required
10
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
13.4 EDRMS Controls Check
On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to the Wisdom EDRMS system. Additionally the local Service Records Manager will perform an audit at least every 6 months to confirm user access to records is still valid and maintain records of the audit locally for inspection
14 Highways and Planning systems
Highways and Planning activities are the responsibility of Re a joint venture company between LBB / CAPITA set up to manage these activities
14.1 Exor Overview
The Exor system is used by RE to manage the Barnet road network and highway assets, and provide management for skip licences and other associated statutory activities
14.2 Exor Controls
All access to the Exor systems within LBB is controlled by the Re Approval Group who set up users and allocate business roles within the systems. LBB users requesting access to highways systems must log a service call requesting access which will be forward to the Re Approval Group for authorisation and action.
The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed
14.3 Exor Password Resets
Password resets for Barnet users in Exor systems are processed via a service request which will be forwarded to the Re Approval Group for action. The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed
14.4 Exor Controls Check
On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to Exor systems
14.5 Acolaid Overview
Acolaid is an integrated planning, building control and licencing system used by Re on behalf of LBB to administer these activities
14.6 Acolaid Controls
All access to the Acolaid systems within LBB are controlled by the Re Approval Group who set up users and allocate business roles within the systems. LBB users requesting access to Acolaid systems must log a service call requesting access which will be forward to the Re Approval Group for authorisation. Following authorisation the required access software will be loaded on the user’s computer by CSG ICT. After this is done the responsibility is passed back to the Re teams to allocate user roles
The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed
11
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
14.7 Acolaid password Reset
Password resets for Barnet users in Acolaid systems are processed via a service request which will be forwarded to the Re Approval Group for action The Re Approval Group will action the request and feedback to the service desk so the call can be appropriately completed
14.8 Acolaid Controls Check
On leaving the users’ network accounts are disabled. Closure of the network account will suspend access to Acolaid systems.
15 Remote Access Provision
15.1 Overview
Remote access to the LBB network is only allowed from LBB Corporate and Partner corporately owned and managed machines. LBB and partner organisations must when working remotely use two factor authentication (2FA) to facilitate the connection. LBB use RSA tokens for this purpose.
External third parties given access to support applications are required to confirm in writing to the CSG Security Manager that the machines used for access are corporately owned and have current patching and anti-virus in place. The access given when properly authenticated users connect to Barnet systems is the same as those given when working from an office location
User accounts required for support contractors are only normally made available for the support session so access periods can be controlled. In many cases the 2FA RSA tokens are not given to the support contractor but are held within Capita CSG to further control the ability to access. In these cases the support contractor must dial the CSG ICT infrastructure team to gain access to the token codes required to be able to access the network This policy can be varied by exception. If there is an agreed need to access systems for support purposes outside normal working hours
Any directly connecting organization (e.g. a directly connected VPN) must be subject to a CAPITA Network Security Assessment (NSA) carried out by Capita security staff and the users validated against an active directory (AD) entry. Contracts covering the access and purpose of the access must be place before VPN access is granted
Remote access must be via corporately managed devices. In normal circumstances users should not attempt access from personally owned computers or other personally owned devices which are not specifically authorised. Any such attempt is a breach of the remote access policy.
15.2 Controls Process
Users request the issue of an RSA Token via the service desk with a service request.
15.3 Controls Check
Closure of the LBB network user account will automatically suspend all access to the LBB network. 3
rd Party support contractor access must be terminated when the support for an application is no
longer required. Users holding RSA tokens can be tracked on the RSA administration console which is integrated with AD. The RSA Token must be returned to CAPITA CSG when no longer required.
12
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
16 Operating system access
16.1 Overview
Elevated administrator privileges to line of business systems and computer networks must be restricted to ICT support teams in order to preserve network security, integrity and availability.
16.2 Controls Process
Only ICT Department Managers and agreed delegated authorisers can approve requests for elevated access to Server and networks such as account or Domain administrator. Usage must be recorded, logged and monitored.
ICT Line Managers must monitor the users with elevated access and remove access when a user moves roles, leaves, or access is no longer required to perform his job function.
Use of administrator/privileged user IDs must be restricted to minimum numbers required to administer the estate. CAPITA CSG IT must review all default, vendor or service accounts included in any new software, or used for software development and must delete these before the system is commissioned into production.
Where such accounts are essential to the operation of a system, the passwords for those accounts must be changed from the default values and managed by the Infrastructure Manger.
Where the vendor accounts are required for support and maintenance, these accounts must be kept disabled and enabled when only required unless a risk assessment has been completed and approved.
16.3 Controls Check
IT Line Managers must monitor elevated access to servers and networks and remove access when a user moves roles, leaves, or access is no longer required to perform his / her job function. This will be further checked during the annual IT Healthcheck to ensure that minimum numbers of elevated users exist..Closure of the network account will suspend access to LBB networks
17 Policy Exception Process
Any exception to this policy will be managed according to the agreed LBB security risk management exception process and monitored by the Security Forum. The log of exceptions will be maintained by the ICT Information Security Manager.
18 Security Breaches
Any suspected security breaches, or loss of equipment must be reported immediately to the Service Desk and logged with a service request. If it is suspected that LBB information has been compromised the incident must be reported immediately to LBB’s Information Management Team. Reported security breaches will be investigated in line with the Security Incident Management Policy.
19 Auditing Schedule
This document will be subject to a continuous review process but will be formally reviewed at least every 12 Months following issue
13
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
Ref Process Frequency Evidence
2.1 Application register Quarterly Security Forum Minutes
2.1 Shared drive control matrix Quarterly Security Forum Minutes
2.1 Approval Groups (including delivery units and partners).
Quarterly Security Forum Minutes
2.1 Wisdom (EDRM) records managers 6 Monthly Local Service Records Manager audit
2.1 IT control results As Required Security Forum Minutes
14
File: 2014_06_IT_ACCESS_CONTROL_POLICY_V01.0[1]
Doc Reference: Document Type: Project Initiation Documentolicy
Document Reference
Document Signatories
Author(s) Name / Role Signature(s) Date
XXXXXX CAPITA IS Security Manager
20 June 2014
Approvers(s) Name / Role Signature(s) Date
Document Reference
Document Title: Information systems access policy
Document Type: IT Policy
Confidentiality Level:
Document Reference:
Issue Date: 19/03/2014
Issue Number: 0.3
Document Production Software: Microsoft Word 2010
Pages 20Total