Access Control Policy

Scope

This Policy applies to all, including but not limited to Employees, Third-parties, servers, network devices, external storage media, applications, that contain or transmit the Corporate Group’s information.

This Policy applies throughout the EClaims Group as part of the information security management system framework.

General Requirements

Access to the information assets and systems is based on the following principles:

• Need to know – users or resources must be granted access to information assets or systems that is necessary to fulfil their roles and responsibilities

• Least privilege – users or resources will be provided with the minimum privileges necessary to fulfil their roles and responsibilities.

Role-based access control is utilized to support the segregation of incompatible functions.

Access provision, modification, and dismissal to information asset or system must be registered in the EClaims Group’s ticketing system.

Requests for users’ accounts and access privileges must be formally documented and appropriately approved.

Access rights must be immediately (no later than 24 hours of termination date) disabled or removed when the user is terminated or ceases to have a legitimate reason to access the Corporate Group‘s information.

Access Control Requirements

All users must use a unique ID to access the EClaims Group’s systems and applications.

Passwords must be set in accordance with the Information Security Requirements Standard.

Remote access to the Corporate Group systems and applications must use two-factor authentication where possible.

Privileged Accounts

A nominative and individual privileged user account must be created for the administrator accounts.

Shared User Accounts

Shared user accounts are only to be used on an exception basis with the appropriate approval. This includes general user accounts such as “guest” and “functional” accounts.

Vendor or Default User Accounts

Where possible, all default user accounts must be disabled or changed.

These accounts include “guest”, “temp”, “admin”, “Administrator”, and any other commonly known or used default accounts, as well as related default passwords used by vendors on “commercial off-the-shelf” systems and applications.

The organization acknowledges internal users, such as project bots, created by the systems we employ, having assessed that they do not pose a risk.

Test Accounts

Test accounts can only be created if they are justified by the relevant business area or project team.

Third-party Access

Third-parties are required to sign a Non-disclosure Agreement (NDA) before obtaining access to EClaims Group’s information in systems and applications.

Review of User Access Rights

On an annual basis or more frequently if needed access to Information Assets and Systems must be reviewed by Information Asset Owners. Discrepancies must be remediated accordingly.

Policy Review and Update

This Policy must be maintained in accordance with the Information Security Policy.

Revision History