(Company Logo)

Information Security Management System

User Access Control &

Account Management
Policy
Version 2.0

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01

Access control & Account

Management Policy
Name

Role

Name

Role

Name

Role

Document Path

Version
Number

Author
Date of
Preparation
Reviewer(s)
Date of Review
Approver
Date of
Approval

Signature

Signature
Signature

Date of Release

qmsserver/missionQ/I
nformation_Security_
Processes/Security_P
olicies/Non_IT_Policie
s/IT_Security_Policy

Version
Number

Revision History
Date of
Section/ Page #
Release
Changed

Details of
Changes

Caretel Infotech Limited

C 123, 4th Floor, P.P. Towers, Netaji Subhash Place,
Pitampura, New Delhi - 110034 India.

Internal

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01

Objective
This document forms Caretels User Access Control & Account
Management Policy in support of the IT Security Policy. Compliance
with this Policy will enable consistent controls to be applied
throughout the organization minimizing exposure to security breach,
whilst allowing systems administration and technical support staff to
conduct their activities within the framework of the company policies.

Scope
This policy applies to all user account and all other computing
accounts provided to Caretel employees, contractors, trainees, etc.
This policy is not limited to the Caretel, but applies to any access,
remote or local, to any computing resources administered by Caretel.

Policy Description

All user accounts must be assigned passwords which meet the

standards and all users are required to change their password
at initial logon where systems do not force this.

Privileged account holders must not allow other users to access

systems under their logon unless they are present for the
duration of all activity.

Users must not attempt to access systems, applications or data

which their user account does not naturally provide access to.

Password Change at Initial Log-on

Internal

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01
Where possible, systems are to be configured to force users to change
their password at their first log on in accordance with the Password
Policy.

Suspension of User Accounts and Password Resets

The suspension of a user account can only be requested by the
respective Reporting Officer with approval from HOD, HR Head of
Department, Information Security Officer. All password resets are to
be

performed

in

accordance

with

the

Password

Usage

and

Management Policy.

Account Privileges
Technical Support department is to restrict and control the allocation
and use of system privileges on each computer platform. In particular,
access to operating systems and applications is to be generally
restricted to designated administrators and support staff who are
associated with the management and maintenance of the respective
platforms. Users are to be given specific account profiles and
privileges as defined and authorized by their respective reporting
officer in accordance with their particular function or role. When
creating user-accounts, system administrators must take care to
ensure that users are only granted access to systems and resources
that have been approved and which are necessary for business
purpose. User privileges are to be reviewed on a regular and frequent
basis and withdrawn where the circumstances of those who have been
granted privileges no longer warrant such access.

Account Management

Internal

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01
User-accounts are to remain active during the employment of the user
at Caretel Infotech Limited.
Separation Policy is followed by Technical Support & Human
Resource

when

members

of

the

staff

leave

employment.

Administrators delete/disable user-accounts when the account holder

has left organization employment or any disciplinary action has been
taken by HR department.

Use of Accounts
Passwords
All user accounts must be assigned passwords which meet the
standards in the Password Policy. In accordance with the Password
Policy all users are required to change their initial log-on password
the first time that they log onto a system where the system itself does
not automatically enforce this requirement.
Privileged Accounts
Privileged account holders must not allow other users, including
administrators and computer support staff, access to systems under
their logon unless they are present for the duration of all activity.
Access Parameters
In accordance with the Acceptable Use Policy under no circumstances
are users to attempt to access systems, applications or data which
their user account does not naturally provide access to and for which
they have not been granted specific permission.

Policy Third Party Account

Internal

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01
Approval for third party account must be provided by the Head of
Department from respective domain. The access should be restricted
to minimum folders for better manageability.

Policy Controlling Shared & Other Accounts

When there is a need for collaborative working, shared areas are to be
created and accessed through the use of each users own user
account. However, project accounts may be permitted whereby
members of a group access the account through the use of a
common (shared) user-name and password.
Named custodians are to be appointed to manage temporary accounts
where these are used for temporary staff.

Network Privileges
Most network users will have access to the following types of
network resources.

Email - Most users will have full access to their own email. They
will not be able to transfer ownership to someone else.

A personal network drive on a networked file server - This is a

folder on a drive that only the primary user of this drive can
read and write exclusive of domain administrators. The user will
not be able to transfer ownership to someone else.

A shared group or organizational division's drive - This is a

folder that members of specific groups or divisions in the
organization may access. Access may be read or write and may

Internal

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01
vary by organizational requirements. Following table would be
referred for giving access right permission.

Requester

New
Employee
Existing
Employee &
New
Employee

Type of Access Rights

Approval
Requirement

Department's
Shared Drive &
other public drive
or folders, Intranet

Default Read
permission

No

Department's
Shared Drive

Existing
Employee &
New
Employee

Shared Folder or Shared

Network Drive

Cross Functional
Shared Drive

Write & Modify

Any type of right

Reporting
Officer
Reporting
Officer &
Cross
Functional
head

Access to databases - There may be additional databases that

may be stored on a shared drive or on some other resource.
Most databases will have a standard user level which gives
users appropriate permissions to enter data and see report
information. However only the database administrators will
have full access to all resources on a database. Database
administrators will only have full access to the database that
they administer.

Admin Privileges
Root is the Admin ID for all servers and all servers are accessible
through one Admin ID.

Enforcement

Internal

Access Control & Account Management Policy

Caretel/ISMS/TSP/POL/ACA-01
Any employee found to have violated this policy could also be subject
to disciplinary action, up to and including termination of employment.

Policy Review
The policy will continue to be in force unless superseded by a fresh
policy. Caretel management reserves the right to amend, abrogate,
modify, rescind / reinstate the entire Policy or any part of it at any
time.

References
Caretel IT Security Policy 1.0
ISO 27001 References
11.6 Application and information access control
11.2 User access management
11.4.1 Policy on use of network services

Responsibility for execution, Functional Impact and Processes

affected by the Policy
Technical

Support

would

be

responsible

for

execution

and

enforcement of the policy and all Caretel processes and employees

would be affected by the policy.

Access to the policy

All Caretel Infotech Limited employees

Glossary
NA
Internal