Process Document. Scope
|
|
- Gervase Wilcox
- 6 years ago
- Views:
Transcription
1 Process Document Subject: BCIT Access Management Process Process Number: I Department Name: Information Technology Version: 1.4 Original Issue Date: Revision Date: 03/22/2010 Process Owner: Controls and Compliance Process Contact: BCIT Controls and Compliance Purpose The purpose of this document is to outline the BCIT processes for managing access levels including new hires, job changes, requesting additional access, access removals, and reviewing access to Brunswick applications. Applicability The BCIT Access Management process document applies to all domestic and international Brunswick employees and temporary users that require access to any/all IT systems regardless of the division or site location. Scope This document describes the process established to request, approve, remove, or transfer user access to Brunswick applications. It also defines the risks involved in this process, controls established to assure the integrity of the production environment and the testing procedures established to monitor the effectiveness of those controls. Processes 1) Access Requests (New or Additional access)...4 a) General Requirements:...4 b) Access Request Submission:...4 c) User & Approval Types:...4 d) Direct Leader Approval:...4 e) Business Owner Approval:...5 f) Security Administrator:...5 2) Access Removal ( Control C7 )...6 a) General Requirements:...6 b) Access Removal Submission:...6 c) Security Administrator:...6 d) Inactive Account Removal:...6 3) Access Reviews ( Control C3 and C5 )...7 a) General Requirements...7 b) Prepare documents:...7 c) Business owner review:...7 d) Security Administrator: Payment Card Information Requirements.8 BCIT Access Management Process Page 1 of 9
2 Definitions Business Day: Monday - Friday from 8:00am to 5:00 pm local time, excluding companyapproved holidays. Business Owner Those individuals who are responsible for a given business process or financial/operating cycle. A list of business owners for each application should be available by system. Expedited Request Access requests that require immediate attention. This type of request should only be used in terminations, or for granting access to assist in the restoral of a service. Direct Leader A person whom a user reports to regardless of title e.g., Leader, Supervisor, Manager. Generic User Account An account used by multiple users and is not defined as belonging to a single user. Key System Any system that contains highly sensitive/confidential information or a system where the main function is to store or alter financial data. Privileged User Persons with authority to maintain and configure applications and systems. e.g., DBA, Network admin, Windows admin, Developer Security Administrator Persons who manually fulfills approved user access rights to applications or systems. Signature A person s consent regardless of format (hand written or electronic). System Accounts A unique account designed to allow communication between systems or applications and is not utilized by any individual. User The recipient who an access request is intended for and who will use the access to carryout their job function. BCIT Access Management Process Page 2 of 9
3 Risk & Controls Matrix Access Management Risk and Control Matrix Risk P Prevent D - Detect Process Policy Control Systems Controls R1: A user or Security administrator may gain access or elevated privileges beyond what they need in order to perform their specific job R2: A security administrator may bypass the approved access management policy, process, and procedure R3: Terminated employees may retain their system access past their employment period R4: Contractors, either terminated or who have fulfilled their obligations may retain their system access past their agreed upon contract period R5: Generic accounts may be created and used in situations where it is not permissible according to the Access Management Policy C - Controls 1.C.i P-A.1 C1 All Access requests must be approved by the appropriate individuals before access is granted P P 1.C.ii No C2 All The implementer of access must be different than the approver(s). P 3 No C3 Key System and user accounts with access to critical financial transactions/functionality, and generic accounts are reviewed on a D D D D D quarterly basis by the designated business owners. 3.C.ii.4 P-B.8 C4 Key As part of the periodic access review, generic accounts will be reviewed and cross checked against applicable risk acceptance to D D ensure documented mitigation is taking place 3 No C5 All Privilege IT access will be reviewed on a periodic basis D D D 2.D P-D.1 C6 Network Accounts are removed or disabled after 90 days of inactivity D D 2 No C7 All A request for access removal must be submitted and removed once the access is no longer required for an individuals job responsibilities P P R Recommended Controls and Monitoring activities R1 All Produce & review a report that displays all termination requests for a given period. The frequency should be at least monthly, but may be D D daily or weekly. R2 Key When an access removal request is submitted based on a termination request, and advisory notice is distributed to the security administrator P P R2 Key Accounts are removed or disabled after 90 days of inactivity D D BCIT Access Management Process Page 3 of 9
4 1) Access Requests (New or Additional access) a) General Requirements: i) All requests must be submitted in written or electronic format For expedited requests please follow the procedures documented for the application/system in which the request is for. The request must still meet the requirements of this process and be submitted within 2 days after the initial expedited request. ii) Submit with enough lead time so the request may flow through the approval process ( at least 5 days ). After all approvals are obtained, IT requires two weeks to complete the request iii) All approvals and pertinent information must be maintained in accordance with the Brunswick retention policy iv) If at any time information is changed or added within the request, all previous approvals become void. The request must be routed back through the process to gain the approvals. v) The implementer must not be one of the approvers. b) Access Request Submission: i) Users requesting access shall adhere to the following guidelines: 1. Request detailed with enough information that allows the request to be approved ( this is the minimum ) a. Privilege level being requested e.g., read-only, write, execute, administrative b. Privilege type e.g., developer, administrator, user, super user c. Environment e.g., development, test, production d. Clear reason of why the level of access is needed e. Specifically detailing the exact resources/areas needed for access f. First name, middle Initial, and last name of the person needing the access g. Date the access is needed h. Person user reports directly to e.g., leader, supervisor, manager c) User & Approval Types: i) Approvals for users requesting access shall adhere to the following guidelines ( Control C1 ): Access Request Type User Type System Type Approval Level New User Request User Non-Key Direct Leader New User Request User Key Direct Leader & Business Owner New User Request Privileged User All Direct Leader & Business Owner Additional Access User Non-Key Direct Leader Additional Access User Key Direct Leader & Business Owner Additional Access Privileged User All Direct Leader & Business Owner ii) If the Direct Leader and Business Owner is the same person, then only one approval is required. iii) If one of the approvers is also the implementer, then one of the following must occur( Control C2 ) 1. An Additional signature from: a. An individual at the same level as the Direct Leader b. A higher level leader than the Direct Leader OR 2. Send the request to a different implementer d) Direct Leader Approval: i) The user s direct leader or next higher manager must approve all requests for new or additional access. ii) Before approving, the user s direct leader will ensure the request: 1. Has all required fields completed 2. Is specific Exact resources/areas must be identified within the request for access. a. Requests to clone an existing users access is prohibited according to policy BCIT Access Management Process Page 4 of 9
5 i. Example: Setup a new User account with the same privileges or access like John Smith. ii. It is acceptable to provide the approving direct leader with the details of an existing users profile to enable the direct leader to properly review existing access and determine the appropriate level of access for the new user request. 3. Suitable Matches the user s job responsibility without granting the user more access than is required to carry out their daily activities. e) Business Owner Approval: i) The business owner(s) of defined Key systems must approve all requests for new or additional access requested. ii) Before approving the Business Owner will ensure the request: 1. Is clear 2. Does not create a logical segregation of duties violation with respect to established key financial systems 3. Is Suitable Matches the user s job responsibility without granting the user more access than is required to carry out their daily activities. 4. Approved by the direct leader of the individual ( if not the same as the business owner ) 5. Is for a specific person or doesn t violate the rules regarding generic accounts as specified in the access management policy. iii) If denied, the business owner will communicate this information back to the user s direct leader or authorized approver. f) Security Administrator: i) Grant new or additional access only after the request has been approved by the appropriate levels based off the chart in 1C 1. Under no circumstances will a security administrator provide a new account or new level of access for a user before the request has gone through the approval process. ii) Implement the access request within department standards or SLA s. iii) Communicate to the recipient that the request has been implemented. 1. For new hires, the security administrator will notify the user s direct leader the request has been completed. 2. If the access request is implemented before the new hire s start date, the security administrator will inform the new hire s direct leader the proper procedure for getting the login credentials 3. If the access request is implemented after the new hire s start date, the security administrator will communicate directly to the user following the protocols defined in Brunswick s password policy. a. Login credentials will only be given to the recipient to whom the request is intended. iv) Note the following within the request 1. Any special comments regarding the implementation 2. That the recipient was communicated their new login information where applicable 3. Sign and date the request stating it has been completed BCIT Access Management Process Page 5 of 9
6 2) Access Removal ( Control C7 ) a) General Requirements: i) An access removal request must be submitted in the following situations 1. A users job responsibilities change and certain access is no longer needed in their new job function 2. A user is terminated 3. A contractors services are no longer needed within the organization ii) Expedited disabling of access my be done verbally and then followed by a formal written or electronic request The removal of the account will not happen until a request has been submitted and received by the Security Administrator b) Access Removal Submission: i) The request for removal of access must contain the following information 1. First name, middle Initial, and last name of the users access being disabled 2. Users location 3. Date of the request 4. Date the access needs to be disabled 5. Person user reports directly to e.g., leader, supervisor, manager 6. Reason why the access is being removed EG. Termination, Job Transfer c) Security Administrator: i) Once IT is notified, the security administrator has until the close of the next business day to disable access to Network/VPN and key applications ii) Access to be disabled within 5 business days of notification for all non-key systems iii) Note the following within the request 1. Any special comments regarding request 2. Sign and date when the access is removed d) Inactive Account Removal: i) If a network account is inactive during the last 90 days, the security administrator will either disable or remove the account depending on the system requirements. 1. Where possible, this should be automated and done daily. If this is not possible a manual review must occur within the following guidelines a. For key systems, this review may happen every week (Optional) b. For non key systems this review must happen every quarter ii) Accounts that are exempt from this rule must be periodically: 1. Re-approved by the same level as required to grant the access 2. Reviewed and updated iii) The security administrator shall document and retain evidence as per the prescribed procedures. BCIT Access Management Process Page 6 of 9
7 3) Access Reviews ( Control C3 and C5 ) a) General Requirements i) Access reviews will be completed on the following schedule User Type System Type Review Period Privileged User Key Quarterly Privileged User Non-Key Semi-Annually Financial Impacting Key Quarterly Generic Key Quarterly ii) A documented list of Business Owners or the delegates authorized to do the review must be maintained This document should be reviewed and updated on a periodic basis iii) This review is for ensuring that an individual does not have access outside of what is required to execute their job function. If additional access is required, the access request process must be followed ( Section 1 ) b) Prepare documents: i) Security administrators will produce documentation for the following reviews 1. Existing accounts with access that impact financial statements. 2. Existing accounts with privileged access. 3. Generic accounts. ii) Documents shall be submitted to the appropriate reviewers with enough lead time to allow a reasonable time period for review A specific due date to complete the review must be identified. iii) Review documentation should: 1. At a minimum be for the production environment Must include the environment being reviewed in the documentation 2. Be specific and detailed Denote each type of access e.g., read-only, write, execute or administrative. 3. Be system generated where applicable If the documentation of existing user accounts is not system generated, there must be a method to reconcile the accounts. 4. Clearly identify users including if possible job titles or role. Does not apply to the generic account review 5. Include groups and the individuals within those groups where applicable Does not apply to the generic account review c) Business owner review: i) Business owners are required to review existing access to ensure only properly designated persons and generic accounts have access. Examples: 1. Terminated employees have been removed 2. Access is appropriate for job responsibilities 3. Access for employees who have transferred jobs is still appropriate ii) The minimum that should be checked: 1. Does current user access matches the user s job role 2. The access is the minimum that is required and is commensurate with the users job responsibilities 3. Does not create a logical segregation of duties violation with respect to established key financial systems 4. The generic account falls within the allowed guidelines or has proper approval documented iii) Business owners must clearly indicate the access that should be removed as a result of their review Examples: 1. Remove entire account BCIT Access Management Process Page 7 of 9
8 2. Remove write access for a specific menu option iv) Business owners must complete the review and submit a signed and dated document to the security administrator(s) within a pre-defined timeframe. v) The business owner shall communicate directly to the affected user in the event access is changed for any reason. d) Security Administrator: i) Security administrators must process all requested removals/changes resulting from the business owner s quarterly review within the same timeframe as required by the Access removal section. ii) Security administrators must indicate that the access change has been implemented. 1. Notate any special comments regarding the implementation 2. Sign and date the request stating it has been completed iii) A second report as described in section 3b should be generated after implementing the removal of access iv) Security administrators must retain all user access quarterly review documentation according to Brunswick retention policies. 4) Payment Card Information Requirements (applicable only to Brunswick Bowling and Billiards retail operations in North America) a) Required Automated Access Request Process i) Automated access request processes must be used for provisioning and de-provisioning access to all systems and applications designated by the business as subject to the requirements of the PCI Standards. ii) This process must be designed to control and document the requirements for access provisioning and de-provision stated in this document. b) 90 Day Inactive Account Removal i) If a system or application account is inactive during the last 90 days, the security administrator will either disable or remove the account depending on the system requirements. 1. Where possible, this should be automated and done daily. If this is not possible a manual review must occur within the following guidelines a. For key systems, this review may happen every week (Optional) b. For non key systems this review must happen every quarter ii) Accounts that are exempt from this rule must be periodically: 1. Re-approved by the same level as required to grant the access 2. Reviewed and updated iii) The security administrator shall document and retain evidence as per the prescribed procedures BCIT Access Management Process Page 8 of 9
9 Related Documents A. I Brunswick Access Management Policy B. L Record Management Information Lifecycle Management C. I Password Policy D. XXXX - IT System\ Application Owner (Under Development) E. XXXX - Key Applications (Under Development) Revisions, Dates and Author Date Revised By Revision Comments Version Number Ryan Lanier Initial BCIT Consolidated version Ryan Lanier Updated header and formatting Ryan Lanier Updated Definitions, Sections: 1.C.i, 1.C.ii, 2.C.i, and change term waiver to risk acceptance throughout the document 3/16/10 Emily De Binder Added section 4 for Payment Card Information requirements 3/22/10 Emily De Binder Add 90 day inactive requirement for PCI BCIT Access Management Process Page 9 of 9
Financial Center Administration Console USER GUIDE
Financial Center Administration Console USER GUIDE For Client Use Only Effective April 2018 Table of contents Introduction 3 Communicating securely with Union Bank 3 Change Security Settings 4 Manage
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationGeneral Policy Imaging
General Policy Imaging Purpose: The purpose of establishing an imaging system on the BSC campus is to reduce the amount of physical space that is necessary for storing paper records and the ease of the
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationSisu Super Computing Service Service Level Agreement
Sisu Super Computing Service Service Level Agreement 1. General This Service Level Agreement (hereafter called SLA) is made between the customer, Sisu Super Computing Service user and the service provider,
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationRich Powell Director, CIP Compliance JEA
Rich Powell Director, CIP Compliance JEA Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation Account Control
More informationMySign Electronic Signature
MySign Electronic Signature Advisory Circular Compliance Matrix FAA AC 120 78A Dated 06/22/16 1 Table of Contents Table of Contents 2 Purpose 3 FAA Acceptance 3 Non Requirement for Approval 3 2-2 Electronic
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationLusitania Savings Bank Retail Internet Banking Terms and Conditions
Retail Internet Banking Terms and Conditions Internet Banking Terms and Conditions Agreement This Agreement describes your rights and obligations as a user of the On-line Banking Service ("Service" or
More informationPalo Alto Unified School District OCR Reference No
Resolution Agreement Palo Alto Unified School District OCR Reference No. 09-17-1194 The Office for Civil Rights (OCR) of the U.S. Department of Education initiated an investigation into an allegation that
More informationAcceptable Use Policy
IT and Operations Section 100 Policy # Organizational Functional Area: Policy For: Date Originated: Date Revised: Date Board Approved: Department/Individual Responsible for Maintaining Policy: IT and Operations
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationGeneral Information System Controls Review
General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County
More informationWireless Communication Device Policy Policy No September 2, Standard. Practice
Standard This establishes the business need and use of cellular phones (hereinafter referred to as wireless communication devices ) as an effective means of conducting City of Richland business, and to
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationUniversity Health Network (UHN)
University Health Network (UHN) RESOURCE MATCHING AND REFERRAL (RM&R) AND ONLINE REFERRAL BUSINESS INTELLIGENCE TOOL (ORBIT) Policy Governing User Account Management Version: 4.0 Date: Last modified on
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationFirst Federal Savings Bank of Mascoutah, IL Agreement and Disclosures
Agreement and Disclosures INTERNET BANKING TERMS AND CONDITIONS AGREEMENT This Agreement describes your rights and obligations as a user of the Online Banking Service and all other services made available
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationesers Guide ELECTRONIC REPORTING SYSTEM Serving the People Who Serve Our Schools
2018 esers Guide ELECTRONIC REPORTING SYSTEM mploye re esou s c rce Serving the People Who Serve Our Schools Table of Contents Registration Employer Web Administrator (EWA)... 2 Logging In... 5 Forgot
More informationConsumer Online Banking Application
Consumer Online Banking Application SERVICE INFORMATION To apply for consumer online banking services, complete this Online Banking Application, print, sign and return using one of the following options:
More informationEmployer Resource Center Training Guide
Employer Resource Center Training Guide Version 3 July, 2013 Page 1 07/2013 Overview Purpose The purpose of this Training Guide is to provide you with some basic information how to use the Blue Cross and
More informationWelcome to the Blue Cross Administrative Representative Training
Welcome to the Blue Cross Administrative Representative Training For the listening benefit of webinar attendees, we have muted all lines and will be starting our presentation shortly This helps prevent
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationQatar Financial Centre- Regulatory Authority (QFCRA) Electronic Submission System (ESS) User Guide Version 1.2 Dated Feb
Qatar Financial Centre- Regulatory Authority (QFCRA) Electronic Submission System (ESS) User Guide Version 1.2 Dated Feb-06-2013 Intellectual Property of QFC-Regulatory Authority Page 1 Table of Contents
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration 5.25.1 Use of Electronic Part 1. Purpose. This procedure establishes requirements for the consistent, secure implementation
More informationUniversity Community (faculty and staff)
University Community (faculty and staff) SUBJECT (R*) EFFECTIVE DATE (R) PROCEDURE NUMBER CELLULAR PHONE PROCEDURE July 1, 2008 1950.005a PROCEDURE STATEMENT (R) This procedure describes the process to
More informationInstructions for Completing the Online Application for Civil Service Permanent and Extra Help Employment
General Information Instructions for Completing the Online Application for Civil Service Permanent and Extra Help Employment The same Civil Service application is used for both Civil Service permanent
More informationELECTRONIC MAIL POLICY
m acta I. PURPOSE The Information Systems (IS) Department is responsible for development and maintenance of this policy. The Finance and Administration Division is responsible for publishing and distributing
More informationTyler s Versatrans Triptracker User s & Administrator s Guide
Tyler s Versatrans Triptracker User s & Administrator s Guide Tyler s Versatrans Triptracker 9.18 For more information, www.tylertech.com Copyright Copyright 2004 Tyler Technologies, Inc. All Rights Reserved.
More informationUser Guide REVISION 6/6/2016
User Guide REVISION 6/6/2016 1 Contents 1. System Overview... 3 2. Enrollment Process... 4 3. Managing Company Structure... 5 4. User List... 7 5. User Record... 8 6. Profile/Out of Office... 9 7. Company
More informationI. PURPOSE III. PROCEDURE
A.R. Number: 2.11 Effective Date: 2/1/2009 Page: 1 of 5 I. PURPOSE This policy outlines the procedures that third party organizations must follow when connecting to the City of Richmond (COR) networks
More informationIBM Hosted Application Security Services - Website Scanning Platform
IBM Hosted Application Security Services - Website Scanning Platform Z126-5886-US-1 09-2012 Page 1 of 13 Table of Contents IBM Hosted Application Security Services -... 1 Website Scanning Platform... 1
More informationTexas A&M AgriLife Research Procedures
Texas A&M AgriLife Research Procedures 29.01.99.A0.02 Enterprise File Service Approved: December 15, 2011 Revised: September 12, 2014 Next Scheduled Review: September 12, 2019 PROCEDURE STATEMENT This
More informationPOLICIES AND PROCEDURES
Integrated Information Technology Services POLICIES AND PROCEDURES Utica College Email POLICY: Email is Utica College s sole accepted mechanism for official electronic communication in the normal conduct
More informationState of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)
1.0 PURPOSE Periodic security audits, both internal and external, are performed for the benefit of the and its employees to: (1) identify weaknesses, deficiencies, and areas of vulnerability in operations;
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationICT User Access Security Standard Operating Procedure
ICT User Access Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationBuilding Information Modeling and Digital Data Exhibit
Document E203 2013 Building Information Modeling and Digital Data Exhibit This Exhibit dated the day of in the year is incorporated into the agreement (the Agreement ) between the Parties for the following
More information2 Creating New CCQAS 2.8 User Accounts
2 Creating New CCQAS 2.8 User Accounts The deployment of CCQAS 2.8 which introduced the online privilege application, review, and approval functionality, significantly expanded the number of CCQAS users
More informationWireless Communication Device Use Policy
Wireless Communication Device Use Policy Introduction The Wireless Communication Device Policy exists to provide guidance to employees regarding the acquisition and use of William Paterson University provided
More informationApplication Lifecycle Management on Softwareas-a-Service
Service Description HPE Application Lifecycle Management on Software-as-a- Service Version v2.0 26 November 2015 This Service Description describes the components and services included in HPE Application
More informationFreedom of Information and Protection of Privacy (FOIPOP)
Freedom of Information and Protection of Privacy (FOIPOP) No.: 6700 PR1 Policy Reference: 6700 Category: FOIPOP Department Responsible: Records Management and Privacy Current Approved Date: 2008 Sep 30
More informationCOMPLETE THE ATTACHED APPLICATION ON YOUR COMPUTER,
Dear Peer Recovery Specialist (PRS) Applicant: Thank you for your interest in PRS certification through the Iowa Board of Certification (IBC). IBC credentials prevention and treatment professionals in
More informationGovernance, Risk, and Compliance Controls Suite. Release Notes. Software Version
Governance, Risk, and Compliance Controls Suite Release Notes Software Version 7.2.2.1 Governance, Risk, and Compliance Controls Suite Release Notes Part No. AG008-7221A Copyright 2007, 2008, Oracle Corporation
More informationRDMS AUTOMATED FILE EXTRACT SERVICE REQUEST APPROVAL FORM
AUTOMATED FILE EXTRACT SERVICE REQUEST APPROVAL FORM This form is intended for University of California Office of the President Risk Services (OPRS) affiliates. The form is designed to collect key information
More informationApplication Control Review. August 4, 2012
Application Control Review August 4, 2012 Application Controls Review - Scope Web security Access Controls Password Controls Service Level Agreement Database Access Controls Perimeter Security Controls
More informationBusiness Online Banking User Guide
Business Online Banking User Guide Table of Contents Contents Overview... 2 Logging In... 2 Additional Login Information... 5 Home/Dashboard... 6 Top Line Tool Bar... 6 Bulletins... 7 Dashboard... 8 Accounts...
More informationServer Security Procedure
Server Security Procedure Reference No. xx Revision No. 1 Relevant ISO Control No. 11.7.1 Issue Date: January 23, 2012 Revision Date: January 23, 2012 Approved by: Title: Ted Harvey Director, Technology
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationVersion v November 2015
Service Description HPE Quality Center Enterprise on Software-as-a-Service Version v2.0 26 November 2015 This Service Description describes the components and services included in HPE Quality Center Enterprise
More informationIntroducing your new ACH ALERT USER GUIDE. Updated
Introducing your new ACH ALERT USER GUIDE Updated 03.09.18 Table of Contents DASHBOARD 3 General...3 Viewing the Dashboard...4 Viewing the Dashboard After EOD with Additional File Load...9 USER PRIVILEGES
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationFLORIDA DEPARTMENT OF JUVENILE JUSTICE PROCEDURE
PROCEDURE Title: Protective Action Response (PAR) Instructor and PAR Fidelity Procedures Related Policy: Chapter 63H-1, Florida Administrative Code (F.A.C.) I. DEFINITIONS Administrator One whose primary
More information2. Who we collect information (data) from & why we collect it
1. Introduction Our Privacy Policy applies to the personal data that Ambrey collects and uses. References in this Privacy Policy to Ambrey, we, us or our mean Ambrey Limited and the Ambrey Group of companies:
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationCertified Recovery Peer Advocate-Provisional Application
Certified Recovery Peer Advocate-Provisional Application Provisional A Project of Alcoholism & Substance Abuse Providers of New York State, Inc. 11 North Pearl Street, Suite 801 Albany, New York 12207
More informationCOMPAS ID Author: Jack Barnard TECHNICAL MEMORANDUM
MesaRidge Systems Subject: COMPAS Document Control Date: January 27, 2006 COMPAS ID 30581 Author: Jack Barnard info@mesaridge.com TECHNICAL MEMORANDUM 1. Changing this Document Change requests (MRs) for
More informationIBM Hosted Application Security Services - Pre-Production Application Scanning
IBM Hosted Application Security Services - Pre-Production Application Scanning FR_INTC-8839-02 2-2012 Page 1 of 21 Table of Contents IBM Hosted Application Security Services -...1 Pre-Production Application
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationVodafone Location Services. Privacy Management Code of Practice. Issued Version V1.0
Vodafone Location Services Privacy Management Code of Practice Issued Version V1.0 Issued Version 1.0 Page 1 of10 17/08/03 August 2003 Vodafone Limited. All rights reserved. CONTENTS 0. Overview.. 3 1.
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationCIP Cyber Security Personnel & Training
A. Introduction 1. Title: Cyber Security Personnel & Training 2. Number: CIP-004-6 3. Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationSECTION 15 KEY AND ACCESS CONTROLS
15.1 Definitions A. The definitions in this section shall apply to all sections of the part unless otherwise noted. B. Definitions: Access Badge / Card a credential used to gain entry to an area having
More informationRegions Quick Deposit
Regions Quick Deposit Frequently Asked Questions It s time to expect more. Regions Bank Member FDIC Revised April 2016 Regions Quick Deposit Note: Select a question below to view the answer. Where can
More informationJHA Payment Solutions ipay Solutions. Business Bill Pay. Funds Verification CSL Client Reference Guide. September 2018
JHA Payment Solutions ... 1 Enrollment Process... 2 Home Page... 3 Message Center... 4 Attention Required... 4 Shortcut Method... 4 Scheduled... 4 History... 4 Since You Last Logged In... 4 Payees Tab...
More informationDelphiSuppliers.com. Website Instructions
DelphiSuppliers.com Website Instructions Overview of DelphiSuppliers.com DelphiSuppliers.com allows the secure exchange of files between Delphi (Internal accounts) and Vendors (External accounts) as well
More informationUser Reference Guide
LEARNING CENTRE http://lms.toyota.com.au User Reference Guide Page 1 Learning Centre User Overview Reference Guide Last Modified 23/07/10 2010 Toyota Institute Australia. All rights reserved. All brand
More information1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications
1 Introduction to Identity Management Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications An overview of business drivers and technology solutions. 2 Access needs evolve Digital
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationAccess Control Policy
Access Control Policy Version Control Version Date Draft 0.1 25/09/2017 1.0 01/11/2017 Related Polices Information Services Acceptable Use Policy Associate Accounts Policy IT Security for 3 rd Parties,
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationcpouta - IaaS Cloud Computing Service Service Level Agreement
cpouta - IaaS Cloud Computing Service Service Level Agreement 1. General This Service Level Agreement (hereafter called SLA) is made between the customer, cpouta IaaS Cloud Computing Service user and the
More informationIMPORTANT INFORMATION
Account Management Annual Entitlement User Accounts Certification Process About Entitlement User Accounts Certification Process Each year, FINRA conducts an annual user accounts certification process as
More informationEnterprise Income Verification (EIV) System User Access Authorization Form
Enterprise Income Verification (EIV) System User Access Authorization Form Date of Request: (Please Print or Type) PART I. ACCESS AUTHORIZATION * All required information must be provided in order to be
More informationICS-ACI Policy Series
ICS-ACI Policy Series ICS-ACI-P030 Authentication and Access This is part of a series of documents that make up the formal policies adopted by the Institute for CyberScience at the Pennsylvania State University.
More informationINSTRUCTOR HIRING CRITERIA
INSTRUCTOR HIRING CRITERIA INSTRUCTOR PREREQUISITES All potential instructors (staff/contract) must undergo an assessment of qualifications to perform instruction for isafety Services Ltd. Verification
More informationCSBANK ONLINE ENROLLMENT FORM CITIZENS STATE BANK
CSBANK ONLINE ENROLLMENT FORM CITIZENS STATE BANK To sign up for Citizens State Bank s Internet Banking Services, complete all information on this form. Please read the CSBank Online Internet Banking Agreement
More informationThis draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationChange Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account
PAYER ID: SUBMITTER ID: 1 Provider Organization Practice/ Facility Name Change Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account Provider
More informationVersion v November 2015
Service Description HPE Project and Portfolio Management on Software-as-a- Service Version v2.0 26 November 2015 This Service Description describes the components and services included in HPE Project and
More informationCertified Recovery Peer Advocate Application
Certified Recovery Peer Advocate Application A Project of Alcoholism & Substance Abuse Providers of New York State, Inc. 11 North Pearl Street, Suite 801 Albany, NY 12207 Phone: 518.426.3122 x 101 Candidate
More informationIBM Managed Security Services - Vulnerability Scanning
Service Description IBM Managed Security Services - Vulnerability Scanning This Service Description describes the Service IBM provides to Client. 1.1 Service IBM Managed Security Services - Vulnerability
More information