User Access Control Policy

Introduction
This policy is to provide a framework for how user accounts and privileges are created, managed, and deleted.
It includes how new users are authorized and granted appropriate privileges, as well as how these are reviewed and revoked when necessary, and includes appropriate controls to prevent users from obtaining unauthorized privileges or access.
Scope
This policy applies to:
All employees and suppliers who have access to the Azuin
and Pensions information and information systems.
Information systems and services in program, project, and operational
business areas.
There are some access roles that require implementing stronger controls than
those for standard users.
Definitions
Privileged Users
A privileged user is a user who has an elevated level of access to a network, computer system, or application and is authorized to perform functions that standard users are not authorized to perform.
This includes a “standard user” with approved elevated privileges that allow equivalent access to that of a privileged user.

Users
This is the collective term used to describe all those who have access to the Azuin’s information and information systems as outlined in the Scope of this policy.
Policy Statements
Principle of Least Privilege
Access controls must be allocated on the basis of business needs and ‘Least Privilege’. Users must only be provided with the absolute minimum access rights,
and permissions to systems, services, information, and resources that they need to fulfill their business role.
User Access Account Management
User account management procedures must be implemented for user registration, modification, and de-registration on all DWP information systems.
These procedures must also include processes for monitoring redundant and inactive accounts.
All additions, deletions, suspensions, and modifications to user accesses should be captured in an audit log showing who took the action and when.
These procedures shall be implemented only by suitably trained and authorized employees.
Access control standards must be established for all information systems, at an appropriate level for each system, which minimizes information security risks yet allows the organization’s business activities to be carried out without undue
hindrance.
A review period will be determined for each information system and access control standards will be reviewed regularly at those intervals.
All access to DWP information systems must be controlled by an approved authentication method supporting a minimum of a user ID and password combination that provides verification of the user’s identity.
Users will normally be limited to only one user account for each individual information system for non-administrative purposes. Any variations from this policy must be authorized by the Senior Responsible Owner (SRO) or, where applicable, the Authority.
All users shall have a user ID for their sole use for access to all computing services. All individual user IDs must be unique for each user and never duplicated.
All user accounts that have not been accessed for an agreed period, without prior arrangement, must be automatically disabled.
All administrator and privileged user accounts must be based on job function and authorized by the SRO or, where applicable, the Authority, prior to access being given.
All changes to privileged accounts must be logged and regularly reviewed.
Procedures shall be established for all information systems to ensure that users’ access rights are adjusted appropriately, and in a timely manner, whenever there
is a change in business need, a user changes their role, or a user leaves the organization.
Users’ access rights will be reviewed at regular intervals no longer than annually.
Access to systems by individual users must be authorized by their manager or where applicable, the Authority.
Monitoring User Access
Systems will be capable of logging events that have relevance to potential
breaches of security.
User access will be subject to management checks.
Responsibilities
Senior Responsible Owner (SRO)
SROs are responsible for ensuring that the requirements of this policy are implemented within any program, projects, systems, or services for which they
are responsible.
The SRO is responsible for ensuring that a robust checking regime is in place and complied with to ensure that legitimate user access is not abused.
The SRO may delegate responsibility for the implementation of the policy but retains ultimate accountability for the policy and associated checking regime.
Any non-compliance with this policy must be supported by a documented and evidence-based risk decision accepted by the SRO.

IT Support Teams
IT Support Teams are responsible for granting access to systems as described in local work instructions or using of Role-Based Access Controls Matrix in accordance with the relevant procedures.
IT Support Teams must evaluate and, if necessary, challenge authorized access to help identify any obvious anomalies in the access levels granted or requested.
Users
Users must only use business systems for legitimate use as required by their job and in accordance with the procedures for those systems.