Access Management Policy

Introduction

Catalyst desires to exhibit control over the appropriate levels of access to our resources.

Scope

This policy will govern resources and access. All users are included in the scope.

Roles

Requestors may request changes for their own or another user's account subject to the approval of the Business Owner.

Operators are responsible for executing grants and revokes of access, but Operators do not have the authority to approve user access changes.

One individual should only fulfill two out of the following three access roles: Requester, Operator, and Business Owner (Approver).

Policy

Catalyst operates on the principle of least privilege: access is granted only to the information and resources that are necessary for a user's legitimate purpose.

All Access Changes

All Access Changes must be documented requests using the company ticketing system and submitted according to the current company process.

Granting Access to Resources

Access "grants" are defined as applying new permissions to an account that will allow access to a resource. Approved access is implemented by Operators of the resource.

  • Access to a resource can only be granted by the defined Business Owner.
  • All resource grants must have a valid business purpose and should specify a time frame for the access: indefinite or temporary.
  • Access Grants are submitted by an individual's supervisor or higher, or through a documented procedure showing supervisor approval.

Revoking Access to Resources

To revoke access is to remove a user's privilege to access a resource.

  • Access revokes do not need Business Owner approval.
  • User Departures: access to critical resources must be revoked within one business day of a voluntary termination and at the time of exit for non-voluntary terminations.

Compliance

Access audits will be conducted as part of the Risk Management program, and exceptions will be reviewed for remediation opportunities.

Violations of the policy will be met with corrective action and carry the possibility of disciplinary action up to, and including, termination.

Department Directors are responsible for the regular oversight of their department's access management participation and documentation .

Exceptions

Exceptions should be well documented and approved by the SCC where possible.

Colophon

Owner: Security and Compliance Committee

$Date: 2018-08-13 08:10:47 -0600 (Mon, 13 Aug 2018) $

$Revision: 469664 $

results matching ""

    No results matching ""