Effective Date: 21 Feb 2018 | Revised: 18 June 2024
The User Access Management Policy at Igile Technologies India Pvt Ltd outlines the guidelines and procedures for managing user access to systems, applications, and data. This policy ensures that access rights are appropriately granted, monitored, and revoked to protect the confidentiality, integrity, and availability of our information assets.
The purpose of this policy is to define the requirements for:
This policy applies to all employees, contractors, and third-party service providers who require access to Igile Technologies' systems, applications, and data.
Request and Approval: Access requests must be submitted through a formal request process. The request should include the user's role, access needs, and the duration of access. Requests must be approved by the user's manager and the IT security team.
Account Creation: Upon approval, the IT department will create user accounts in the necessary systems and applications. Default passwords will be generated and must be changed upon first login.
Role-Based Access Control (RBAC): Access rights will be assigned based on the user's role and job responsibilities. Users will be granted the minimum level of access required to perform their duties.
Access Review: Access rights will be reviewed periodically to ensure they are still appropriate. Any discrepancies will be addressed promptly.
Notification and Request: When an employee leaves the company or no longer requires access, the HR department will notify the IT department. A formal request for deactivation will be initiated.
Account Deactivation: The IT department will deactivate user accounts and revoke access rights across all systems and applications. This will be done immediately upon notification or on the user's last working day.
Data Retention and Transfer: Prior to deactivation, any necessary data or files owned by the user will be transferred to the appropriate personnel or archived according to data retention policies.
Access Levels: Access rights will be granted based on a need-to-know and least privilege principle. Users will only have access to the resources necessary for their job functions.
Access Requests: All access requests must be formally documented and approved. Unauthorized access requests will be rejected.
Access Modifications: Changes to access rights, including additions, modifications, or removals, must be approved by the appropriate authority and documented.
Periodic Reviews: User access will be reviewed periodically to ensure that it aligns with current job roles and responsibilities. Access will be adjusted or revoked as necessary.
Logging: All access to critical systems and data will be logged. Logs will include details of user identity, access times, and resources accessed.
Monitoring: Access logs will be monitored continuously for unusual or unauthorized activities. Alerts will be generated for any suspicious access patterns.
Log Retention: Access logs will be retained for a period defined by regulatory requirements and company policy. Logs will be securely stored to prevent tampering or unauthorized access.
Incident Response: Any suspected breaches or anomalies detected through access logs will be investigated promptly. Incident response procedures will be followed to address and mitigate any issues.
Password Creation: Passwords must be complex, containing a mix of upper and lower case letters, numbers, and special characters. Password length should be a minimum of 12 characters.
Password Change: Passwords must be changed every 90 days. Users will be prompted to change their passwords before the expiration period.
Password Storage: Passwords must be stored in a hashed and salted format. Plain-text storage of passwords is prohibited.
Password Sharing: Password sharing is strictly prohibited. Each user must use their unique credentials to access systems and applications.
Password Recovery: Password recovery procedures must include secure authentication mechanisms to verify the user's identity before allowing password resets.
Multi-Factor Authentication (MFA): MFA will be implemented for accessing critical systems and sensitive data. Users must provide additional authentication factors beyond just a password.
IT Security Team: Responsible for implementing and enforcing this policy, managing access controls, and conducting periodic access reviews.
HR Department: Responsible for notifying the IT department of any changes in employment status and managing the onboarding and offboarding processes.
Managers: Responsible for approving access requests and ensuring that users only have the necessary access to perform their job functions.
Users: Responsible for following the access control policies, maintaining the confidentiality of their passwords, and reporting any security incidents or concerns.
Non-compliance with this policy may result in disciplinary action, up to and including termination of employment. Regular audits will be conducted to ensure adherence to this policy.
This policy will be reviewed annually and updated as necessary to reflect changes in regulatory requirements, organizational needs, and technological advancements.