Federal Electricity & Water Authority (FEWA) -

Ajman
Information Security Management System

Access Control Policy

Version 1.10

Approved by:
Abdulltatif Galadari <date of approval>
Information Technology Director
Document review and approval
Revision history
Version Author Date Revision
1.0 Neha Vyas 12th May 2014 Document Created
1.1 Somaya AlWejdani 23rd June 2014 Review and Update
1.2 Huda Al Hammadi 17th July 2014 Review
1.3 Somaya AlWejdani 21st July 2014 Review and Update
Abhinav
1.4 23rd Nov 2014 Reviewed & Updated
Srinivasaraghavan
Abhinav
1.5 11th Jan 2015 New content added
Srinivasaraghavan
Abhinav
1.6 14th April 2015 Revised
Srinivasaraghavan
Abhinav
1.7 14th May 2015 Revised
Srinivasaraghavan
Sara Saif
1.8 08th June 2016 Revised
Suresh Kumar

1.9 Huda Ali 08th June 2016 Final

1.10 Huda Ali 7th Aug 2016 Added the responsibility of users

This document has been approved by

Version Name Signature Date reviewed
1.1 Abdullatif Galadari (IT Director) 1/10/2014
1.2 Abdullatif Galadari (IT Director) 09-June-2016
1.10 Abdullatif Galadari (IT Director) 11th August-2016

FEWA Internal
Page 2 of 13 Version 1.10
Table of Contents
1 PURPOSE ...................................................................................................................................... 4
2 SCOPE ........................................................................................................................................... 4
3 DEFINITIONS & ABBREVIATIONS ................................................................................................... 4
4 ROLES AND RESPONSIBILITIES ...................................................................................................... 4
5 ACCESS CONTROL POLICY ............................................................................................................. 5
5.1 ASSIGNMENT / MODIFICATION OF USER RIGHTS ....................................................................................... 6
5.2 APPLICATION AND SYSTEM ACCESS CONTROL ........................................................................................... 7
5.3 RECOVATION OF USER ACCESS RGHTS ..................................................................................................... 8
5.4 REVIEW OF USER ACCESS RIGHTS ........................................................................................................... 9
5.5 NETWORK ACCESS CONTROL ................................................................................................................. 9
6 COMPLIANCE .............................................................................................................................. 13
7 RELATED DOCUMENTS ................................................................................................................ 13

FEWA Internal
Page 3 of 13 Version 1.10
1 Purpose

The purpose of this Access Control Policy is to define rules to ensure that user access rights
are allocated in accordance with the business and security requirements for access, and that
all access that takes place is managed in a secure manner.

2 Scope
This policy applies to all FEWA employees, contractors, consultants and temporary staff
hereafter referred to as users.

3 Definitions & Abbreviations

Term Definition
ISMS Information Security Management System
CISO Chief Information Security Officer
All information at FEWA that has value to the
Asset organization. Including People, Software, Service,
Information in hardcopy and softcopy, IT infrastructure.
Privilege provided to a user to perform tasks on any
Access Rights system or application or information. This is based on
the users role in the organization.
A user ID with higher user rights compared to a normal
user ID such as work station ID. The privilege user IDs
Privileged User
are normally used for administrative purposes by the
administrators as well as system owners.

4 Roles and Responsibilities

Role Responsibilities
IT Director Review and Approval of Documents
Ensure compliance to the physical and environmental
CISO
policy
HR and Services
Assist in implementing and enforcing the policy.
Department
All users are responsible to read, understand and

Users adhere to this policy in their day to day activities.

FEWA Internal
Page 4 of 13 Version 1.10
5 Access Control Policy

This Access Control Policy shall ensure that access to information, information processing
facilities, and business processes are controlled on the basis of business and security
requirements in FEWA.

a) Appropriate access control mechanisms shall be implemented to ensure that only

authorized employees for authorized purposes have access to corporate
information and systems.
b) Access to all FEWA premises, information, IT service or infrastructure shall be limited
to authorized users for authorized purpose only.
c) The physical access control at the main site is controlled by identifying visitors at the
entry point and having them accompanied whenever they are in FEWA premises.
d) Users that have been granted remote access user shall comply with the Teleworking
Policy.
e) Access to FEWA Information systems and networks shall display a log-on warning
banner prior to user identification and authentication to deter unauthorized access.
f) Access to FEWA information systems and networks shall not display any help
messages during the log-on procedure to prevent the leakage of information to
unauthorized users.
g) The user ID shall be locked after a minimum of 5 unsuccessful log-on attempts as
per the guidelines mentioned in the User Password Policy.
h) Mechanisms to restrict the idle connection time to a corporate system (automatic
timeout) shall be in place.
i) The log-on process and unsuccessful attempts shall be logged. Formal records of all
access rights shall be maintained.
j) Logging of users activities while working with corporate systems shall be enabled.
k) Appropriate security controls shall be enforced in order to monitor user access rights
to corporate systems and applications.
l) Fail Secure Behavior: if a certain component, hardware or software of an
information-processing system malfunctions and/or the system fails, it shall not
grant uncontrolled access to users by default.

FEWA Internal
Page 5 of 13 Version 1.10
 o If an access control system or a critical server malfunctions, it shall not allow any
access to users unless restored to normal operation.
o In the event of a failure or malfunction, a firewall or intrusion prevention system
(IPS) shall not allow any communication to pass through in an uncontrolled manner
and shall block all access attempts until it is restored.

5.1 Assignment / Modification of User Rights

5.1.1 Logical access shall be based on the premise Everything is generally forbidden unless
expressly permitted. User rights shall be granted using the least-privilege
methodology, based on business need and security requirements.
5.1.2 All users shall be identified and authenticated uniquely prior to granting the
appropriate system access.
5.1.3 Access shall only be granted changed or removed in response to a formal request
approved by the CISO.
5.1.4 Third-party access to a FEWA's information-processing facilities shall be detailed in a
formal contract prior to issuing any access rights (refer Supplier & Third Party Security
Policy).
5.1.5 Where many users are involved, standard user access profiles for specific jobs shall
be created.
5.1.6 User access rights shall be reviewed at least every 6 months. Privileged access rights
shall be reviewed every 3 months to ensure that all are authorized and remain
appropriate and that no unauthorized privileges have been gained.
5.1.7 Access to a use of system utilities/programs that might be capable of overriding
system and application controls shall be restricted and tightly controlled.
5.1.8 Network access is controlled in accordance with the Operation Security Policy.
5.1.9 Access to FEWA applications and information systems shall apply the guidelines
described in the User Password Policy.

FEWA Internal
Page 6 of 13 Version 1.10
5.2 Application and System Access Control

5.2.1 Access to applications shall reflect the requirements for each business application
and shall not conflict with the defined user access rights.
5.2.2 User access rights shall be controlled, e.g. read, write, delete and execute.
5.2.3 Only minimal system information shall be disclosed during the log-on process and the
system or application details shall not be displayed till the successful completion of
the log-on process.
5.2.4 Access to applications shall be limited to authorized users and normal business hours.
5.2.5 Any error messages during the log-on process shall not be suggestive of the type or
kind or error during the log on process.
5.2.6 Applications and systems shall not display system of application identifiers before
having any process completed.

a) Access to program source code and associated items shall be strictly controlled
through the following:

b) Program source libraries shall be separated from the operational systems.

c) The program source code and libraries shall be managed and controlled through
the checklist for source code review document.

d) Only authorized personnel shall perform any updates and/or changes on the
program source libraries.

e) Logging of users activities while working on the program source code shall be
enabled and securely maintained.

f) Integrity of the program source code shall be considered prior to any publishing
activity, if required.

5.2.7 The use of utility programs by FEWA users shall be restricted, unnecessary programs
disabled and must follow authorization procedures for their use.
5.2.8 For all secret authentication keys used in FEWA the following shall be considered:

a) Keep the secret authentication information confidential, ensuring that it is not

divulged to any other parties, including people of authority.

FEWA Internal
Page 7 of 13 Version 1.10
 b) Avoid keeping a record (e.g. on paper, software file or hand-held device) of secret
authentication information, unless this can be stored securely and the method of
storing has been approved.

c) Change secret authentication information whenever there is any indication of its

possible compromise.

5.2.9 When passwords are used as secret authentication information, select quality
passwords with sufficient minimum length with the following characteristics:

a) Easy to remember

b) No based on anything somebody else could easily guess or obtain using personal
related information, e.g. names, telephone numbers and dates of birthetc.

c) Not vulnerable to dictionary attacks, i.e. do not consist words from the dictionary.

d) Free of consecutive identical, all-numeric or all-alphabetic characters.

e) Change the password at first log-on if temporary.

5.2.10 Individual users secret authentication information shall not be shared.

5.2.11 Ensure proper protection of passwords when passwords are used as secret
authentication information in automated log-on procedure and are stored.
5.2.12 Avoid using the same secret authentication information for business and non-
business purposes.

5.3 Revocation of User Access Rights

5.3.1 In cases where users are undergoing a disciplinary hearing or are being dismissed due
to misconduct, the CISO, in consultation with HR, must assess whether the persons
continued access to systems or offices during the notice period constitutes a security
risk.
5.3.2 If continued access poses a risk, access to buildings and systems must be withdrawn
with immediate effect.
5.3.3 User access shall be removed within 10 days of service when a user changes the job
function or leaves FEWA

FEWA Internal
Page 8 of 13 Version 1.10
5.4 Review of User Access Rights

5.4.1 A periodic review shall be conducted of all corporate systems to ensure that:

a) Allocation of access rights is appropriate to the users need to know and

business and/or operational requirements.

b) Users with remote access are authorized.

c) There are no unused, inactive, redundant or expired user accounts in the systems.

5.4.2 Reviews of user access rights shall be conducted for the following reasons:

a) To comply with an established frequency, as mentioned above (5.1.6)

b) As a result of changes in employees job functions, e.g. promotion, removal from

a user group, re-assignment, transfer etc.

c) As part of major reorganization or the introduction of new technology or

applications.

d) When the Access Control Policy is changed

5.5 Network Access Control

5.5.1 Users (remote) network access rights shall be granted based on a valid business
justification along with necessary approval and shall be maintained and revoked in
accordance to the Access Control Policy.
5.5.2 All external requests for accessing FEWA systems, networks or applications shall be
approved by CISO.
5.5.3 Information service, information systems and users shall be segregated into separate
logical domains as shown in Table 1.
5.5.4 Security controls shall be deployed controlling information flow and access among
interconnected domains as shown in Table 1.
5.5.5 All users accessing FEWA systems, networks or applications remotely such as an
approved off-site location shall comply with all sections of the Information Systems

FEWA Internal
Page 9 of 13 Version 1.10
 Security Policies and be subject to the same access controls and authentication
controls as if they were accessing the network from within FEWA premises.
5.5.6 Information flow and access domains shall be controlled and restricted according to
business needs.
5.5.7 Internal network access shall be restricted by either using virtual private networks for
authorized user groups or filter traffic between these domains and block
unauthorized access.
5.5.8 Routing controls shall be based on positive source and destination address checking
mechanisms.
5.5.9 Dedicated private lines or secure Virtual private networks (VPN) shall be used to
provide assurance of the source of connection.
5.5.10 Wireless networks shall be authorized, authenticated, encrypted and permitted only
for approved locations.
5.5.11 Individual VLANs shall be used in the data center and departments at FEWA to
segregate the network.
5.5.12 Servers that are storing, processing or transmitting confidential information shall be
separated from other servers using suitable firewall segmentations.
5.5.13 Production environment shall be separated from the test environment using suitable
firewall segmentations.
5.5.14 Access between the segregated network segments shall be appropriately controlled.
5.5.15 Access to shared folders shall only be authorized to limited users for specific business
purposes.
5.5.16 Network clock time shall be synchronized with all the network devices, security
devices, desktops and servers using NTP server.
5.5.17 All network devices and servers shall be secured as per their respective Hardening
document.
5.5.18 Implementation or change of interconnections requires a risk assessment and
adequate selection of controls.
5.5.19 All network access rights shall be reviewed periodically, for normal users every 6
month and for privileged users every 3 month.

FEWA Internal
Page 10 of 13 Version 1.10
 FEWA Internal
Page 11 of 13 Version 1.10
 Logical domains

Intranet (wired)

Intranet (wireless)

Extranet (wired)

(wired)
Other networks

Internet (wired)

Internet (wireless)
Connect from to

X GPRS
Intranet (wired) (blocked)
IPSec VPN
Internal network

X X X X X X
Intranet (wireless)
(blocked) (blocked) (blocked) (blocked) (blocked) (blocked)

X
Extranet (wired) IPSec
(blocked) - - -

X
Other networks (wired) VPN - - - -
(blocked)
External network

SSL X
Internet (wired) - - - -
Encryption (blocked)

X
Internet (wireless) GPRS - - - -
(blocked)

FEWA Internal
Page 12 of 13 Version 1.10
6 Compliance

All users shall comply with this policy. In case of breach/violation to this policy, the user shall
be subjected to investigation and disciplinary action supervised by HR. HR disciplinary
actions and procedures apply. Violations shall be notified directly to IT Support and HR.
Strict confidentiality shall be maintained on all notified violations.

7 Related Documents
FEWA_ISMS_User Password Policy
FEWA_ISMS_Teleworking Policy
FEWA_ISMS_Supplier and Third Party Policy
FEWA_ISMS_ Operations Security Policy
FEWA_ISMS_Information Systems Security Policy

FEWA Internal
Page 13 of 13 Version 1.10