User Access Management
User Registration
A formal user registration and deregistration process must be used for gaining access to CX Index’s systems. This process must protect and maintain the security of access to CX Index’s information resources through the complete life cycle of the user.
Access to CX Index confidential information shall be provided only after the authorisation of the information owner has been obtained.
Contractors and third party contracts will contain the rights of access and will contain sanctions if unauthorised attempts at access are made.
Each person accessing a CX Index multi-user based information system shall utilise a unique CX Index-assigned User ID and a private password. User IDs shall not be shared among two or more users.
System owners and/or management shall grant access rights. Formal records of all access rights for each system shall be maintained.
Access rights shall immediately be removed or modified when a user leaves CX Index or changes jobs.
CX Index will periodically check for redundant IDs and ensuring that redundant IDs are not issued in excess of that required (i.e., administrators may have a privileged and a non-privileged account on the same system, but an average user should not have two different non-privileged accounts on the same system without a valid business reason).
Privilege Management
User rights shall be granted using the least-privilege methodology, based on business need and security requirements.
All privileges shall be granted only with formal authorisation. This authorisation shall be accomplished along with User ID authorisation. All privileges that are granted will be documented. No privileges shall be granted until authorisation is complete.
Elevated privileges (Domain Administrator or root, etc.) should be assigned to a different user ID than that used for normal business use. Administrators should only use their elevated privilege accounts when conducting activities that actually require them. Elevated privileges must only be assigned to dedicated systems administrators and not normal users.
Wherever possible system routines should be developed and used instead of privileges.
User Password Management
A user’s account and password is the primary means of verifying a user’s identity. The allocation of passwords will be a formal management process.
Users will sign a statement in their terms and conditions of employment that they will keep their personal or group passwords confidential. This may be done as part of the overall acceptance of policies.
Users will be responsible for the secure storage of their passwords.
Users will be granted initial temporary passwords and will be forced to change them immediately. Temporary passwords will only be granted with positive identification of the user.
Passwords will be given in a secure manner (i.e. not in a plain text e-mail).
Review of User Access Rights
Users’ access rights will be reviewed at regular intervals. Managers will review their employee’s rights to ensure they are consistent with their present job function. CX Index will regularly review user rights to ensure that elevated privileges have not been granted without authorisation, and that accounts that have not been used recently or belong to terminated employees are deactivated or purged.