User account administration policy and procedures from FTCclaims, where user and our partner can follow and our data cab be processed.
Effective security controls in relation to access to data are an essential component of the effective risk management of the FTCclaims’s data resource. Access controls protect information by managing access at all entry and exit points, both logical and physical. These measures ensure that only authorised users, as determined by the FTCclaims, have access to specific information, systems and facilities. User accounts offer a way of managing access, providing user accountability and tracking their use of information, information systems and resources. User accounts can take various forms from a system login to FTC's platform. Therefore the application of access controls, the management of user accounts and the monitoring of their use plays an extremely important part in the overall security of information resources.
The purpose of this policy is to define the access controls and monitoring required ensuring an appropriate level of protection for information, systems and resources.
This policy applies to all information resources, systems or facilities (existing or new) where access controls are assessed to be required. It covers the management of all accounts whether administered corporately or departmentally. It does not cover the authentication method used to ensure the identity of that user.
Statement of principles
• Access controls will be established for all major information, information systems and facilities based on their classification and security risk assessment to ensure that the appropriate level of security is implemented;
• Logical access controls will be implemented in accordance with this policy and the Information Security Policy. Physical access controls will be implemented in line with this policy and the Physical and Environmental Security Policy;
• Access to the network, information systems and servers will be achieved by the use individual user accounts (UIDS) that will require an appropriate authentication method as outlined in the Password and Authentication Policy;
• Access to information systems and facilities will be governed by a formally defined authorisation process covering the creation, modification/maintenance, re-enabling and deletion of accounts;
• Users will only be granted access to information and information systems and facilities on a “need-to-know” basis. Users will only be granted the minimum access and privileges required to perform their duties;
• Procedures will be implemented to ensure that access to data or information is not dependant on any one individual. Privileges granted by groups will be implemented in order to facilitate this function;
• Each assigned account will uniquely identify the user and must conform to the FTCclaims’s naming stand 2
• Security of systems administration accounts and passwords will be the responsibility of the technical owner of that system and must adhere to the FTCclaims policies with the exception of where this is not technically possible;
• A notice warning users about accessing information without authorisation will be displayed before users can gain access to any information system or facility. It should not identify any information about the information system or any other internal matters;
• A review period, determined by the information “owner”, will be established to reassess the access controls implemented for information, information systems and facilities. A record of the review must be maintained;
• User accounts will be reviewed on a regular basis to ensure access and account privileges remain applicable to the job function/role or employment status of the user. A record of the review must be maintained;
• All employees have a legal duty to keep all personal data confidential and to comply with the data protection provisions contained within the Code of Conducts;
• Access to information systems and facilities will be revoked for users who do not need access to perform their duties in order to ensure the confidentiality, integrity and availability of information to other users.
• Accounts will only be created and maintained for users that need access to information, systems and facilities to perform their official duties on behalf of the FTCclaims;
• User accounts will only be authorised to the capabilities appropriate to the user’s role requirements, responsibilities or specific needs to carry out a function for which they are employed. Users will only be assigned the access privileges needed to carry out their job function.
• All accounts created or modified must have a documented request and the appropriate authorisation. A record must be maintained of all authorisations including the access rights and privileges granted;
• Procedures will be established to ensure user’s access rights and privileges are adjusted in a timely manner whenever there is a change in a user’s status;
• User accounts will not be activated until the authorisation process has been correctly completed. Users must not have access to information systems until all activities relating to the commencement or resumption of employment have been completed i.e. acknowledgement of Acceptable Use Policy;
• Generic or shared accounts will not be permitted. The only exception will apply to email accounts required by services were Information & Data Management Section has granted approval;
• Upon notification of termination, transfer, resignation, suspension or retirement from employment received from the relevant authoritative source(s) the user account will be disabled/deactivated. Disabled accounts will be deleted after the period specified in the Access Control Standard;
• Each user account must be unique, only connected with the user to whom it was originally assigned. Reuse of user IDs is not permitted;
• All user accounts will as a minimum force the use of a password; 3
• All default passwords for accounts must be constructed in accordance with the FTCclaims's Password & Authentication Policy. All default passwords must be immediately changed by the user immediately after logging into the system if not prompted automatically to do so;
• User accounts with system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by the user.
Event logging monitoring and reporting
• Auditing will be implemented on all information systems to track access and record events in line with the Auditing, Logging & Monitoring Policy.
• Exceptions to this policy will only be granted if:
• Compliance would adversely affect the ability of the service to accomplish a mission critical function; or
• Compliance would have an adverse impact on the service provided or supported by the information, system or resource; or • Compliance cannot be achieved due the incapability of the information system or resource.
• A procedure for requests for exception to this policy will be produced and implemented
Human Resources are responsible for:
Ensuring that information held within the HR system is accurate and kept up to date Providing all employees with a copy of the Acceptable Use policy ensuring it is acknowledged/signed by the employee;
System administrators/security officers, as custodians, are responsible for:
The creation, modification and deletion the user accounts relating to their information system(s):
Ensuring processes associated with the creation, modification and deletion of accounts are documented in formal procedures. Periodical review of users accounts for validity Monitoring user account activities and reporting unusual activities to management Providing a list of inactive accounts to HR in order that the status of the account/account holder can be verified; Co-operating with authorised FTCclaims personnel in the investigation of security.
Line Managers are responsible for:
Promptly notifying HR when permanent and temporary employees, contractors and service partner personnel terminate employment or transfer to new duties/responsibilities; 4 Promptly notifying the relevant systems administrators when staff, contractors and service partner personnel terminate employment or transfer to new duties/responsibilities; Providing all temporary employees employed within their service with a copy of the Acceptable Use Policy ensuring it is acknowledged/signed for by the individual.
All Users are responsible for: Familiarising themselves with this policy and all other related policies and guidelines set out below; All activity related to accounts they have been allocated. Reporting any suspected misuse of accounts/passwords to their line manager. Ensuring the security of their own passwords and reporting any potential compromise to the security of their user accounts.
Information is responsible for: Maintaining this policy; Ensuring processes associated with the above are documented in formal procedures.
Failure to adhere to this policy will be considered a serious disciplinary offence and will be dealt with in accordance with by the appropriate FTCclaims disciplinary procedures. This could lead to a termination of employment for employees; termination of a contract in the case of service providers or consultants and expulsion in the case of a student placements. Additionally, individuals may be subject to civil or criminal prosecution.
To ensure compliance with this policy adhoc reviews will be undertaken at regular intervals by the Information & Data Management Department.
This policy will be reviewed on an annual basis. It will be amended in response to changes in operational and legal requirements. Every effort will be made to ensure individual users are made aware of changes when they occur. If you have any queries or questions about this policy contact the IT Department.
The following policies and guidance should be read in conjunction with this policy:
Acceptable Use Policy
Password & Authentication