Professional Documents
Culture Documents
Ajman
Information Security Management System
Approved by:
Abdulltatif Galadari <date of approval>
Information Technology Director
Document review and approval
Revision history
Version Author Date Revision
1.0 Neha Vyas 12th May 2014 Document Created
1.1 Somaya AlWejdani 23rd June 2014 Review and Update
1.2 Huda Al Hammadi 17th July 2014 Review
1.3 Somaya AlWejdani 21st July 2014 Review and Update
Abhinav
1.4 23rd Nov 2014 Reviewed & Updated
Srinivasaraghavan
Abhinav
1.5 11th Jan 2015 New content added
Srinivasaraghavan
Abhinav
1.6 14th April 2015 Revised
Srinivasaraghavan
Abhinav
1.7 14th May 2015 Revised
Srinivasaraghavan
Sara Saif
1.8 08th June 2016 Revised
Suresh Kumar
1.10 Huda Ali 7th Aug 2016 Added the responsibility of users
FEWA Internal
Page 2 of 13 Version 1.10
Table of Contents
1 PURPOSE ...................................................................................................................................... 4
2 SCOPE ........................................................................................................................................... 4
3 DEFINITIONS & ABBREVIATIONS ................................................................................................... 4
4 ROLES AND RESPONSIBILITIES ...................................................................................................... 4
5 ACCESS CONTROL POLICY ............................................................................................................. 5
5.1 ASSIGNMENT / MODIFICATION OF USER RIGHTS ....................................................................................... 6
5.2 APPLICATION AND SYSTEM ACCESS CONTROL ........................................................................................... 7
5.3 RECOVATION OF USER ACCESS RGHTS ..................................................................................................... 8
5.4 REVIEW OF USER ACCESS RIGHTS ........................................................................................................... 9
5.5 NETWORK ACCESS CONTROL ................................................................................................................. 9
6 COMPLIANCE .............................................................................................................................. 13
7 RELATED DOCUMENTS ................................................................................................................ 13
FEWA Internal
Page 3 of 13 Version 1.10
1 Purpose
The purpose of this Access Control Policy is to define rules to ensure that user access rights
are allocated in accordance with the business and security requirements for access, and that
all access that takes place is managed in a secure manner.
2 Scope
This policy applies to all FEWA employees, contractors, consultants and temporary staff
hereafter referred to as users.
Term Definition
ISMS Information Security Management System
CISO Chief Information Security Officer
All information at FEWA that has value to the
Asset organization. Including People, Software, Service,
Information in hardcopy and softcopy, IT infrastructure.
Privilege provided to a user to perform tasks on any
Access Rights system or application or information. This is based on
the users role in the organization.
A user ID with higher user rights compared to a normal
user ID such as work station ID. The privilege user IDs
Privileged User
are normally used for administrative purposes by the
administrators as well as system owners.
Role Responsibilities
IT Director Review and Approval of Documents
Ensure compliance to the physical and environmental
CISO
policy
HR and Services
Assist in implementing and enforcing the policy.
Department
All users are responsible to read, understand and
FEWA Internal
Page 4 of 13 Version 1.10
5 Access Control Policy
This Access Control Policy shall ensure that access to information, information processing
facilities, and business processes are controlled on the basis of business and security
requirements in FEWA.
FEWA Internal
Page 5 of 13 Version 1.10
o If an access control system or a critical server malfunctions, it shall not allow any
access to users unless restored to normal operation.
o In the event of a failure or malfunction, a firewall or intrusion prevention system
(IPS) shall not allow any communication to pass through in an uncontrolled manner
and shall block all access attempts until it is restored.
FEWA Internal
Page 6 of 13 Version 1.10
5.2 Application and System Access Control
5.2.1 Access to applications shall reflect the requirements for each business application
and shall not conflict with the defined user access rights.
5.2.2 User access rights shall be controlled, e.g. read, write, delete and execute.
5.2.3 Only minimal system information shall be disclosed during the log-on process and the
system or application details shall not be displayed till the successful completion of
the log-on process.
5.2.4 Access to applications shall be limited to authorized users and normal business hours.
5.2.5 Any error messages during the log-on process shall not be suggestive of the type or
kind or error during the log on process.
5.2.6 Applications and systems shall not display system of application identifiers before
having any process completed.
a) Access to program source code and associated items shall be strictly controlled
through the following:
c) The program source code and libraries shall be managed and controlled through
the checklist for source code review document.
d) Only authorized personnel shall perform any updates and/or changes on the
program source libraries.
e) Logging of users activities while working on the program source code shall be
enabled and securely maintained.
f) Integrity of the program source code shall be considered prior to any publishing
activity, if required.
5.2.7 The use of utility programs by FEWA users shall be restricted, unnecessary programs
disabled and must follow authorization procedures for their use.
5.2.8 For all secret authentication keys used in FEWA the following shall be considered:
FEWA Internal
Page 7 of 13 Version 1.10
b) Avoid keeping a record (e.g. on paper, software file or hand-held device) of secret
authentication information, unless this can be stored securely and the method of
storing has been approved.
5.2.9 When passwords are used as secret authentication information, select quality
passwords with sufficient minimum length with the following characteristics:
a) Easy to remember
b) No based on anything somebody else could easily guess or obtain using personal
related information, e.g. names, telephone numbers and dates of birthetc.
c) Not vulnerable to dictionary attacks, i.e. do not consist words from the dictionary.
5.3.1 In cases where users are undergoing a disciplinary hearing or are being dismissed due
to misconduct, the CISO, in consultation with HR, must assess whether the persons
continued access to systems or offices during the notice period constitutes a security
risk.
5.3.2 If continued access poses a risk, access to buildings and systems must be withdrawn
with immediate effect.
5.3.3 User access shall be removed within 10 days of service when a user changes the job
function or leaves FEWA
FEWA Internal
Page 8 of 13 Version 1.10
5.4 Review of User Access Rights
5.4.1 A periodic review shall be conducted of all corporate systems to ensure that:
c) There are no unused, inactive, redundant or expired user accounts in the systems.
5.4.2 Reviews of user access rights shall be conducted for the following reasons:
5.5.1 Users (remote) network access rights shall be granted based on a valid business
justification along with necessary approval and shall be maintained and revoked in
accordance to the Access Control Policy.
5.5.2 All external requests for accessing FEWA systems, networks or applications shall be
approved by CISO.
5.5.3 Information service, information systems and users shall be segregated into separate
logical domains as shown in Table 1.
5.5.4 Security controls shall be deployed controlling information flow and access among
interconnected domains as shown in Table 1.
5.5.5 All users accessing FEWA systems, networks or applications remotely such as an
approved off-site location shall comply with all sections of the Information Systems
FEWA Internal
Page 9 of 13 Version 1.10
Security Policies and be subject to the same access controls and authentication
controls as if they were accessing the network from within FEWA premises.
5.5.6 Information flow and access domains shall be controlled and restricted according to
business needs.
5.5.7 Internal network access shall be restricted by either using virtual private networks for
authorized user groups or filter traffic between these domains and block
unauthorized access.
5.5.8 Routing controls shall be based on positive source and destination address checking
mechanisms.
5.5.9 Dedicated private lines or secure Virtual private networks (VPN) shall be used to
provide assurance of the source of connection.
5.5.10 Wireless networks shall be authorized, authenticated, encrypted and permitted only
for approved locations.
5.5.11 Individual VLANs shall be used in the data center and departments at FEWA to
segregate the network.
5.5.12 Servers that are storing, processing or transmitting confidential information shall be
separated from other servers using suitable firewall segmentations.
5.5.13 Production environment shall be separated from the test environment using suitable
firewall segmentations.
5.5.14 Access between the segregated network segments shall be appropriately controlled.
5.5.15 Access to shared folders shall only be authorized to limited users for specific business
purposes.
5.5.16 Network clock time shall be synchronized with all the network devices, security
devices, desktops and servers using NTP server.
5.5.17 All network devices and servers shall be secured as per their respective Hardening
document.
5.5.18 Implementation or change of interconnections requires a risk assessment and
adequate selection of controls.
5.5.19 All network access rights shall be reviewed periodically, for normal users every 6
month and for privileged users every 3 month.
FEWA Internal
Page 10 of 13 Version 1.10
FEWA Internal
Page 11 of 13 Version 1.10
Logical domains
Intranet (wired)
Intranet (wireless)
Extranet (wired)
(wired)
Other networks
Internet (wired)
Internet (wireless)
Connect from to
X GPRS
Intranet (wired) (blocked)
IPSec VPN
Internal network
X X X X X X
Intranet (wireless)
(blocked) (blocked) (blocked) (blocked) (blocked) (blocked)
X
Extranet (wired) IPSec
(blocked) - - -
X
Other networks (wired) VPN - - - -
(blocked)
External network
SSL X
Internet (wired) - - - -
Encryption (blocked)
X
Internet (wireless) GPRS - - - -
(blocked)
FEWA Internal
Page 12 of 13 Version 1.10
6 Compliance
All users shall comply with this policy. In case of breach/violation to this policy, the user shall
be subjected to investigation and disciplinary action supervised by HR. HR disciplinary
actions and procedures apply. Violations shall be notified directly to IT Support and HR.
Strict confidentiality shall be maintained on all notified violations.
7 Related Documents
FEWA_ISMS_User Password Policy
FEWA_ISMS_Teleworking Policy
FEWA_ISMS_Supplier and Third Party Policy
FEWA_ISMS_ Operations Security Policy
FEWA_ISMS_Information Systems Security Policy
FEWA Internal
Page 13 of 13 Version 1.10