All employees and contractors should be provided with access to limited applications that are needed to execute their official job responsibilities.

Users should be provided only with Role-Based Access and their sub-components. It must be ensured that the basic access is read-only.

All User Access Requests should be approved and provided with a justification by the Line Manager (Supervisor).

It must be ensured that access to the system should also be mandated as a requirement in main roles and responsibilities.

All user access and activity (actions performed in the system) logs should be enabled.

Every user activity should be logged with a timestamp and the respective action that was performed by the user.

User Logs should be closely monitored on weekly basis. It should be observed which users are performing the critical actions.

Critical actions may include removal of data, editing of existing data, and particularly any try to tempering the log history.

All user-level access should be restricted on basis of IP or sometimes MAC. This can be done in addition to the security Key.

Where applicable, the system should be prompted to use Multi-Factor Authentication (MFA) to add an additional layer of control from a security perspective.

Each user session should be logged out if the user doesn’t perform any activity for a particular duration of time.

If a user tries to log in by providing wrong credentials or from an unauthorized machine, his account should be blocked for a particular duration.

It can either be enabled after a particular duration (i.e. 1 Hour) or he can contact the respective system administrator to reset his account.

If should be promoted that user's official ID and all other user access is controlled through a Single Sign-On (SSO).

If applicable, an additional layer of security layer of Access Control List (ACL) on Firewalls or on the server should be applied. These ACLs should be applied in line with the recommended ports only.

ICMP and other similar ports should be disabled by default.

In some scenarios, the ACL should also be applied on basis of IP, Mac Address, user name, email, and domain name.

User Access Management Policy works closely with Human Resource Policies

The team managing the user-access should be in close coordination with HR to know and apply respective changes in the status of any employee or contractor.

Users should be provided with local access to the system unless explicitly mentioned, i.e. Some software components will be only accessible from the office premises and they should be kept like this.

In cases, where an Employee or Contractor is not available in the same country/city, he might require remote access.

In such scenarios, a VPN (Virtual Private Network) should be used to ensure secure access.

Employee/Contractor should ensure that his machine (official or personal) is properly protected through anti-virus and other supporting software.

Employee/Contractor should ensure to use his machine and also avoid downloading/ record any official data unless it is unavoidable.

Audits of existing users should be done on monthly basis to ensure that no new user is created without proper Access Management Policy.

If any unidentified user account is detected, his account should be disabled and reported to the respective application owner to check.

Disciplinary action should be taken if some accounts were created by someone without properly following the Access Management Policies.

If there is a conflict with any employee or any breach of internal policy, it can lead to access being fully revoked.

Revoking or disabling users' accounts should be easy to implement and must be done in the minimum possible time.

Some external consultants might require temporary access for any change management activity (for few days or a few hours). In this scenario, a form should be submitted with proper justification and approved by the person who is going to raise the Change Request (Change Owner).

There could be a scenario where urgent access is required for a person who is neither a contractor nor an employee. He could be a vendor or any other consultant trying to troubleshoot and fix any issue.

In such a scenario, an official confirmation should be taken from the respective system owner through email.

In addition, some employees should also be shadowing the complete session if and when required.

As soon as the issue is troubleshot, the access for that consultant/ support agent should be revoked.

In rare scenarios, the employee can also provide control to his machine, in this case, the employee should be shadowing the whole session and ensuring that all steps are taken with his consent. This situation should be avoided unless some critical issue is being resolved.

To bring additional security, users should be able to access the system from one machine at a time.

The user should also be given a prompt that he’ll be logged out from the machine on which he is already logged in.

If credentials are lost or you suspect that your credentials are known to anyone, try to reset your password or contact IT Department to make the necessary steps.