AstraZeneca Global Request for

Service, Special - Single Purpose and Special - Testing

Account Access

Copyright IBM 2009, 2011. All rights reserved.
Page 1 oI 4
Template: AZ-Global-TMP-0256-V03.00 Parent Document: AZ-Global-WI-0287

Important Instructions and ResponsibiIities

O This form should be used for new, changes and when requesting privilege access to Service accounts, Special
Single Purpose accounts and Special - Testing accounts ONLY (see mandatory settings on page 2)
O Mailbox, nternet or My Documents access are not allowed. Any exceptions require Security approval
O These accounts are never to be used as a Shared User D
O These accounts are not to be used for individual log on. However for specific exceptions, please see the
mandatory settings on page 2
O BM Global Access Support Enterprise must be informed of any intended change of use and/or ownership of
the account
O The password should be known by the account owner and approved deputy only
O A record must be kept of these named individuals
O All AstraZeneca personnel using this account have read the AstraZeneca Computer Usage Policy (click here
for the AZ Computer Usage Policy link)
O All BM personnel using this account have read the BM Business Conduct Guidelines
Note: IBM Global Access Support Enterprise team will maintain a record of the account details, the owner
and deputies.

Routing and ApprovaI Instructions

1. This form should be completed by the account owner (or the account deputy) to verify account owner
responsibility.

2. To avoid delay, please verify all mandatory (*) fields are populated.

3. When completed, this form (with the full business justification for access) should be sent for approval to the
following persons. f there are no exceptions or privileged access requested, then account owner approval
onIy is necessary:

AstraZeneca staff/contractors/IBM NOC:
1st level = Line/Task Manager
2nd level = AZ Application Service Manager/System Owner or Local S Security Manager (LSSM)

AstraZeneca 3rd parties/partners (non IBM NOC):
1st level = On-boarding team (obtains and confirms the Line/Task Manager approval)
2nd level = On-boarding team (obtains and confirms the Application Service Manager/System Owner or
Local S Security Manager (LSSM) approval)

Note: The e-mail approval should include, the fully completed form as an attachment, and is required
from each of the 1st and 2nd Level approvers above. It should include the Approvers job title and
confirmation that all items on the form have been read, understood and agreed.
If you are still unsure on where to send this form, to obtain approval, please contact your Local IS
Security Manager (LISSM). Click here for the IS Security Managers List.

4. Once approved by the 1st and 2nd Level approvers above, the completed form and full e-mail trail is to be sent
to your regional BM T Service Desk.
$eden: TServicedeskSweden@astrazeneca.com
UK: itsd@astrazeneca.com
U$: usuwhelpdesk.azcscfishkill@astrazeneca.com
ROW: BangaloreROWTServiceDesk@astrazeneca.com

5. BM T Service Desk will issue an ncident Request.
O f privileged access is requested, they will forward the completed and approved request, for 3rd Level
approval (of the relevant Pharos request raised) to the BM System/Service owner for approval.

Note: The Pharos request is raised by the IBM Global Access Support Enterprise, Bangalore.
Please retain your Incident Request Number should progress tracking be required with the IBM IT
Service Desk. If there is no related incident ticket or completed form attached to the ticket, your
request will be rejected.

6. Satisfactory approval will result in access being granted and you will be informed when this has been
completed.


AstraZeneca Global Request for
Service, Special - Single Purpose and Special - Testing
Account Access

Copyright IBM 2009, 2011. All rights reserved.
Page 2 oI 4
Template: AZ-Global-TMP-0256-V03.00 Parent Document: AZ-Global-WI-0287

Mandatory settings required for $ervice, $peciaI - $ingIe Purpose and $peciaI - Testing accounts

Special - Single Purpose (Account Type 33)

O A shared account with some privilege.
O Should only be used for specific purposes
O Owner's PRD should be recorded.
O Additional business processes are normally required to fully implement these types of account.

Example - Software installer; created as part of software install process.

Special - Testing (Account Type 34)

O Should have minimum essential access only, dependent on testing purpose
O Account expiry must be set for up to 1 year only
O Owner's PRD should be recorded.

Example - Specific testing purpose.

Service (Account Type 63)

O Should not be used by individuals, but can be logged onto for emergency problem diagnosis purposes.
O Password can be fixed.
O May be set to 'Never Expires'
O Renaming may not be possible.
O May not be able to use PRD if name cannot be changed.
O Change management of scheduled activities must be maintained and reviewed. Special detection rules
apply.
O Owner's PRD should be recorded.
O Additional business processes are normally required to fully implement these types of account.

Example - Day to day operational use for scheduled activities; e.g. backup of servers. nstalled by
facilitating software.
Note: the term 'Service' here refers typically to an internal software service rather than a general T
service. Accounts used to manage or support an T service like a service desk or application support
service should instead use the account type Shared general, or Mail General for resource/functional
mailboxes.

AstraZeneca Global Request for
Service, Special - Single Purpose and Special - Testing
Account Access

Copyright IBM 2009, 2011. All rights reserved.
Page 3 oI 4
Template: AZ-Global-TMP-0256-V03.00 Parent Document: AZ-Global-WI-0287

!lease verify the * mandatory fields are populated
Request DetaiIs

Service Account Special Single Purpose Account Special - Testing Account

New account Change account

Account Name* max. 30 characters) Request date* dd-mmm-yyyy)
ProcessAndTools 26-Sep-2011
Account Prid leave blank if to be allocated by IBM) Domain* e.g. EMEA, RD etc...)
astrazeneca.net
Account Oner* Prid*
Ruane, Edward kljp858
Deputy 1* Prid*
ornman, Reid ksjb522
Deputy 2 Prid
Orchard, James kfxt054
Deputy 3 Prid
Mageshwaran, Shanker kkql822

ogon restricted to the foIIoing equipment*
!lease specify any servers /workstations that the account logon should be restricted to.)

AdditionaI Access*
!lease specify any !haros profiles and/or AD groups/servers required. When stating any privilege access. Do not under any
circumstances ask for higher privileges than necessary.)
XAZ-SD Application Deployment, XAZ-Global Client Administrators
Purpose of the account*
!lease explain why the account is needed and the function it will provide. Verify that no other solution than the account type
requested is available.)
This application will be used by the Client Refresh Process and Tools team. The account will
serve 2 purposes:
1. t will be used by a scripted job that advertises the Vista SP2 packages to end users
(XAZ-SD Application Deployment)
2. t will be used by a scripted job that scans end user machines to verify upgrade files
are on a users machine and also confirm when the user completed the upgrade (XAZ-
Global Client Administrators)
Business Justifcation*
!lease provide a business justification for why this access is required. Include as much supporting information as possible.)
The Vista Service Update Program (run by Client Refresh) is responsible for upgrading all in
scope Vista machine to SP2. This process requires the advertisement of the application and
verification ot its installation.
Comments*
!lease specify for example why additional access is needed or why any changes are required to the account.)


Approver DetaiIs


AstraZeneca Global Request for
Service, Special - Single Purpose and Special - Testing
Account Access

Copyright IBM 2009, 2011. All rights reserved.
Page 4 oI 4
Template: AZ-Global-TMP-0256-V03.00 Parent Document: AZ-Global-WI-0287

Authorising Line/Task Manager name* PRD*
Brian Grubb kzp397
Application Service Manager/System Owner or Local S Security Manager name* PRD*
Joseph M Kuss kIkm986


As approver for PriviIeged access, I have read and understood the foIIoing:

O All privileged access to systems, servers and applications is a risk to AstraZeneca.
O Privileged Access is granted to a limited number of individuals only on the basis of need.
O BM may not be liable for system integrity issues in this system related to the use of this access.
O Privilege access should not be any higher than is needed to perform the business tasks according to
business justification.



Note - an approval from each of the following sections must be provided in the email trail
Approved by Authorising ine/Task Manager

*
hereby confirm that the requested permission is necessary in order for the applicant to carry on their job. have
informed the applicant to follow the rules for S personnel defined in the AZ Unified ntegrated Assurance
Standard (click here for AZ Unified ntegrated Assurance Standard link) and that applicant shall follow
AstraZeneca's policy and Change management process. will immediately follow the appropriate process for the
removal of this privileged access should it no longer be required.
our agreement is your approval e-mail with associated date, please send to regional IBM IT Service Desk as
instructed at the top of this form)

Approved by AppIication $ervice Manager/$ystem Oner or ocaI I$ $ecurity Manager
not needed when application regards termination of existing permissions)
* confirm that am in agreement with this request for the high level of access required to the system, service or
application.
our agreement is your approval e-mail with associated date, please send to regional IBM IT Service Desk as
instructed at the top of this form)


OF OCUMT

*
Mandatory Fields