LOGICAL ACCESS POLICY
|
Document Identification |
HSNZ/POL/18 |
|
|
Document Name |
Logical Access Policy |
|
|
Master Copy |
CISO |
|
|
Version Number |
1.3 |
|
|
Date Of Release |
15 Aug 2023 |
|
|
Prepared By |
Eparama Tuibenau |
CISO |
|
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
|
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
|
From |
To |
||||||
|
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
|
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
26 Jun 2021 |
Modifications due to changes in HealthSafe |
|
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
|
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
|
Date |
Document Status |
|
14 Apr 2020 |
Modified |
|
26 Jun 2021 |
Reviewed |
|
28 Jul 2022 |
Current |
|
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Input
4 Output
5 Interacting Process
6 Abbreviations, Acronyms and Definitions
7 Procedure
8 Monitoring the Process
9 Records
- PURPOSE
The purpose of this document is to establish and maintain a policy for logical access for HealthSafe NZ. - SCOPE
These procedures apply to all aspects of logical access - ABBREVIATIONS, ACRONYMS AND DEFINITIONS
|
Abbreviation |
Description |
|
IT |
Information Technology Department |
|
TL |
Team Lead |
|
CISO |
Chief Information Security Officer |
4 INPUT
- To ensure authorised access
5 OUTPUT
- To provide access to the information to the restricted person
6 INTERACTING PROCESS
All users
7 PROCEDURE
- The access to the server infrastructure is restricted to authorised IT team administrators.
- The IT administrators will have a separate admin account for them to login to the servers.
- The “administrator” user account should not be used unless it is authorised by CISO.
- System access, application access and associated privileges must be restricted and only provided to users with a legitimate business need via an approved formal authorisation process.
- The authorisation process for privilege allocation must record all access provided and the relevant authoriser.
- Privileges must only be granted once the appropriate authorisation has been granted.
- Privileges should be allocated to users based upon their role-based requirements on a system-by-system basis.
- Authorisation requests for system access, privilege allocation should be placed through written communication via CRM HubSpot requisition to CISO/IT team accordingly.
- The IT team will maintain user access and privilege log containing the following information
- Email address of submitter and requesting personnel, requisition title and description, and the software requiring access to.
- System administrative privilege or other escalated privileges, not required for routine business use, should be allocated to a separate but, still individual user profile, to be used for escalated privilege functions only.
- Application systems shall ensure that users cannot surpass system controls by utilising the application system or its related information and gain access to data or systems to which they have not been provided an authorised access.
- Application documentation shall be targeted for the type of user accessing the system and shall avoid providing un-required information.
- Highly sensitive systems may need to be isolated from the standard access. Such investigations shall be performed by system administrator in periodic intervals.
8 MONITORING THE PROCESS
- User permission will be monitored through various platforms and systems.
9 RECORDS
- Access permissions in various platforms and systems.
- Computer Resource/Repository Request Form