18. HealthSafe Logical Access Policy


LOGICAL ACCESS POLICY



Document Identification 

HSNZ/POL/18

Document Name

Logical Access Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director


 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

26 Jun 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 Jul 2022

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

26 Jun 2021

Reviewed

28 Jul 2022

Current

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope


3 Input


4 Output


5 Interacting Process


6 Abbreviations, Acronyms and Definitions


7 Procedure


8 Monitoring the Process


9 Records





  1. PURPOSE
    The purpose of this document is to establish and maintain a policy for logical access for HealthSafe NZ.

  2. SCOPE
    These procedures apply to all aspects of logical access

  3. ABBREVIATIONS, ACRONYMS AND DEFINITIONS

Abbreviation

Description

IT

Information Technology Department

TL

Team Lead

CISO

Chief Information Security Officer


4 INPUT

  • To ensure authorised access

5 OUTPUT

  • To provide access to the information to the restricted person

6 INTERACTING PROCESS

All users


7 PROCEDURE

  • The access to the server infrastructure is restricted to authorised IT team administrators.
  • The IT administrators will have a separate admin account for them to login to the servers.
  • The “administrator” user account should not be used unless it is authorised by CISO.
  • System access, application access and associated privileges must be restricted and only provided to users with a legitimate business need via an approved formal authorisation process.
  • The authorisation process for privilege allocation must record all access provided and the relevant authoriser.  
  • Privileges must only be granted once the appropriate authorisation has been granted. 
  • Privileges should be allocated to users based upon their role-based requirements on a system-by-system basis.  
  • Authorisation requests for system access, privilege allocation should be placed through written communication via CRM HubSpot requisition to CISO/IT team accordingly.
  • The IT team will maintain user access and privilege log containing the following information
  • Email address of submitter and requesting personnel, requisition title and description, and the software requiring access to.
  • System administrative privilege or other escalated privileges, not required for routine business use, should be allocated to a separate but, still individual user profile, to be used for escalated privilege functions only.
  • Application systems shall ensure that users cannot surpass system controls by utilising the application system or its related information and gain access to data or systems to which they have not been provided an authorised access.
  • Application documentation shall be targeted for the type of user accessing the system and shall avoid providing un-required information.
  • Highly sensitive systems may need to be isolated from the standard access.  Such investigations shall be performed by system administrator in periodic intervals.


8 MONITORING THE PROCESS

  • User permission will be monitored through various platforms and systems.

9 RECORDS

  • Access permissions in various platforms and systems.
  • Computer Resource/Repository Request Form