Versions Compared

Version Old Version 2 New Version Current
Changes made by

Jan Tenenberg

Jan Tenenberg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following policies and procedures are relevant to this document:

  • Access Control Policy

  • Mobile Device Policy

User registration

This process must be followed for all user creations, including those of users within IT Department. Vertic Pty Ltd maintains and supports a wide variety of IT systems and the level of access required by individuals to these systems in order to perform their job role will vary widely across the organization. Although the specifics of how users are created will also vary across systems, the following basic process should always be followed.

...

Access to IT systems should be requested via the [IT Service Desk]. Where online or electronic forms are available for specific systems these should be used. In addition to system-specific details, the following should always be given:

  • Name

  • Role

  • Department

  • Contact Details

  • Name of line manager

  • Start date (and end date if applicable)

For each system to which access is requested, further information may be required such as:

  • Name of an existing user whose access should be duplicated (if new user is performing the same or similar role)

  • Modules required

  • Payroll or employee number

Where possible, requests for access should be pre-approved by the system owner or line manager before being submitted to the IT Service Desk from the approver’s email address.

...

Requests for adjustments to user access to IT systems should be sent to the IT Service Desk. Where online or electronic forms are available for specific systems these should be used. In addition to system-specific details, the following should always be given:

  • Name

  • Role

  • Department

  • Contact Details

  • Name of line manager

  • Date adjustment required from

If any of the above items of information are changing (for example a move of role or department) then both old and new details should be given.

For each system to which access is requested to be amended, further information may be required such as:

  • Name of an existing user whose access should be duplicated (if amended user will be performing the same or similar role)

  • Modules required

  • Payroll or employee number

Where possible, requests for adjustments to access rights should be pre-approved by the asset owner or line manager before being submitted to the IT Service Desk from the approver’s email address.

...

The following factors should be considered by the asset owner as part of the approval criteria for such requests:

  • Why does the user need privileged access rights?

  • Is there an alternative way to achieve the desired end result without granting privileged access rights?

  • Does the user have the necessary training and expertise to avoid mistakes when using the privileged access rights?

  • How long are the rights needed for?

  • Is a documented agreement such as a Non-Disclosure Agreement required (for example for third parties)?

A user who requires privileged access rights such as domain admin should request that a separate user account be created with these rights (for example john smith admin). Under no circumstances should the password for the default admin user account be issued. If the need for access is temporary, then an expiry date should be set on the user account when it is created, or temporary security credentials should be configured, using Salesforce’s user security and permissions model.

...

The IT Department will create a listing all the authorised users of each system or set of resources together with their current level of access. This should as a minimum state the following information:

  • Name of system or resource set

  • User name

  • User role title

  • User department

  • User account name

  • Date of user account creation

  • User role(s) assigned

  • Additional access rights assigned

  • Privileged access rights assigned to this account

Where appropriate, supporting information such as the specific permissions associated with each role defined in the system should also be provided.

...

Asset owners will look to identify:

  • People who should not have access (e.g. leavers)

  • User accounts with more access than required by the role

  • User accounts with incorrect role allocations

  • User accounts that do not provide adequate identification e.g. generic or shared accounts

  • Any other issues that do not comply with the organisation’s access control policy

A list of issues identified should be compiled by the asset owner and sent to the [Information Security Manager]. Any issues that appear to be urgent should be flagged as such without delay so that prompt action may be taken.

...