Access Control Policy

Doc Ref: AIB-IS-POL-05

Version: 1.0

Disclaimer: No Part of this document may be reproduced or transmitted in any form or by any means,
electronic, manual, photocopying, recording or by any information storage and retrieval system, without
prior written permission of AXIS INSURANCE BROKERS.

Restricted
AIB-IS-POL-05 Clear Desk and Clear Screen Policy

Document Control

Document Information

Document Title Clear Desk and Clear Screen Policy

Classification Restricted

Document Review and Version Control

Version Revision Section

Date Author Reviewer
No. Description Updated

First Adam
V 1.0 14/09/2023 Draft Sufyan Areed
Release Ahmed

First Adam
V 1.0 02/10/2023 Approved Sufyan Areed
Release Ahmed

Draft Verification

Date of
Name Designation Signature
Verification

Sufyan 02/10/202
Sufyan Areed CTO
Areed 3

Approvals

Name Designation Signature Date of Approval

Sufyan
Sufyan Areed CTO
Areed 02/10/2023

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

Abbreviations

Term Description

ADHICS Abu Dhabi Health Information and Cyber Security Standard

AIB Axis Insurance Brokers

CEO Chief Executive Officer

CISO Chief Information Security Officer

CIA Confidentiality, Integrity, Availability

ISMS Information Security Management System

HIIP Healthcare Information Infrastructure Protection Workgroup

HIE Health Information Exchange

AAA Authenticity, Accountability and Auditability

IPR Intellectual Property Rights

IT Information Technology

ISGC Information Security Governance Committee

PII Personally Identifiable Information

HR Human Resource

QA Quality Assurance

NDA Non-Disclosure Agreement

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

Table of Contents

1 Introduction.................................................................................................................................................5
2 Scope........................................................................................................................................................... 5
3 Purpose........................................................................................................................................................6
4 Roles And Responsibilities............................................................................................................................6
BUSINESS OWNERS......................................................................................................................................................6
5 Acess Control Policy.....................................................................................................................................7
5.1 GENERAL CONTROLS...........................................................................................................................................7
5.2 PHYSICAL ACCESS CONTROL.................................................................................................................................7
5.3 LOGICAL ACCESS CONTROL..................................................................................................................................8
5.3.1 User Registration And Deregistration..................................................................................................8
5.3.2 User Identification And Authentication................................................................................................9
5.3.3 Service Accounts..................................................................................................................................9
5.3.4 User Authorization...............................................................................................................................9
5.3.5 User Logon Process............................................................................................................................10
5.3.6 User Access Modifications.................................................................................................................10
5.3.7 Administrator Access Modifications..................................................................................................10
5.3.8 Local Administrator Access................................................................................................................11
5.3.9 Temporary Accounts..........................................................................................................................11
5.3.10 Third Party Access.........................................................................................................................11
5.3.11 Automatic Logoff..........................................................................................................................11
5.3.12 Termination Of Access..................................................................................................................12
5.3.13 Privileged User Accounts...............................................................................................................12
5.3.14 Super Administrators....................................................................................................................13
5.3.15 Review Of User Access Rights.......................................................................................................13
6 Policy Compliance, Enforcement And Violations........................................................................................13
7 References.................................................................................................................................................14

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

1 Introduction
The control of access to our information assets is a fundamental part of a defence in depth strategy to
information security at Axis Insurance Brokers. If we need to effectively protect the confidentiality,
integrity and availability of data, then we must ensure that a comprehensive mix of physical and logical
controls are in place.

These requirements may depend on factors such as:

 The security classification of the information stored and processed by a particular system or
service
 Relevant legislation that may apply e.g. the NESA
 The regulatory framework in which the organization and the system operates
 Contractual obligations to external third parties
 The threats, vulnerabilities and risks involved
 The organization’s appetite for risk

Business requirements should be established as part of the requirements-gathering stage of new or

significantly changed systems and services and should be incorporated in the resulting design.

In addition to the specific requirements, a number of general principles will be used when designing
access controls for Axis Insurance Brokers’ systems and services. These are:

 Defence in Depth – security should not depend upon any single control but be the sum of a
number of complementary controls
 Least Privilege – the default approach taken should be to assume that access is not required,
rather than to assume that it is
 Need to Know – access is only granted to the information required to perform a role, and no
more
 Need to Use – Users will only be able to access physical and logical facilities required for their
role

Adherence to these basic principles will help to keep systems secure by reducing vulnerabilities and
therefore the number and severity of security incidents that occur.

The access control policy has been segregated into two parts namely Physical Access Control and Logical
Access Control.

2 Scope

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

This policy is applicable to all users of Axis Insurance Brokers’ information, Information Technology (IT)
equipment’s, systems, assets, resources and information processing facilities.

3 Purpose
Access control systems are in place to protect the interests of all authorized users of Axis Insurance
Brokers information systems by providing a safe, secure and accessible environment in which to work.
To secure and protect the logical and physical access to Axis Insurance Brokers’ information,
information processing facilities and resources.

4 Roles and Responsibilities

Roles Responsibilities

Business Owners ▪ Business Owners are responsible for reviewing and

understanding the request and based on the need to know
approving the access request.

IT Department
▪ Creating user accounts and granting access based on the
business requests

▪ Coordinating with the business owners for ensuring the need-to-

know for the access

▪ Reviewing the user access at least once a year

▪ Maintaining records

▪ Ensuring the Physical Security controls implemented at data

center are in compliance with this policy

HR Department
▪ Communicating the changes in the Human Resource structure of
Axis Insurance which includes but not limited to; New Staff
Joining, Staff Separation and Staff movements from one
department to another

▪ Ensuring that all new staff understand and acknowledges the

Information Security policies and procedures

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

5 Access Control Policy

5.1 General Controls
1. Access shall be granted based upon the principles of need-to-know, least privilege, and
separation of duties. Access not explicitly permitted shall be denied by default.
2. Users and Business owners shall provide a clear statement of the business requirement to
be met by access control.
3. Standard user profiles for common job categories shall be created, which will help to
identify the users to a role-based profile and assist in avoiding errors in granting access.
4. The approval for the access control shall be done by the respective Department Managers,
Information Security Officer and Application Owner (as required).
5. Where possible and feasible there shall be an appropriate access period defined and access
shall be automatically withdrawn immediately after that date.
6. Relevant legislation, laws, regulations and contractual obligations shall be taken into
consideration while providing access to any business application, system, service and data.
7. Records shall be archived for all significant events concerning the use and management of
user identities and security credentials.
8. Privileges or User rights shall be allocated and controlled on a need to use basis which shall
be approved by Manager – IT and Information Security Officer (as required).
9. Appropriate Password Policies and Account Lockout policies shall be configured as per
Password Policies.
10. Appropriate audit policies shall be configured and both successful and unsuccessful
attempts shall be logged for all events as per Security Monitoring Policy.
11. Fall-back plan-privileged accounts shall be available with Manager – IT and Information
Security Officer only and shall be issued upon request with valid business justification.
12. No system information shall be disclosed during the logon process and the system or
application details shall not be displayed until the successful completion of the log-on
process.

5.2 Physical Access Control

1. Physical access to all information processing facilities at Axis Insurance shall be protected by
adequate physical access control systems /methods.
2. Where locks with keys are used, procedures for secure management of the keys must be in
place.
3. Records from access control systems must be kept secure and archived.
4. Access to the specific areas (such as data centre, backup storage locations etc.) requires
approval from the IT Manager. Additional physical access control measures shall be
implemented to restrict the access to the selected personnel.
5. Access cards, passes, keys or other tokens must be retrieved from staff or contract staff
when their employment or contract ceases.
6. Access passes shall be provided to visitors & vendors while entering the premises and
should be retrieved on leaving the premises.

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

7. All physical access must be logged and made available for review when required.
5.3 Logical Access Control
Access to the IT components and data is generally known as logical access. In other terms, any access to
the Information processing systems should be considered as logical access. Logical access shall provide
Authentication, Authorization an
1. Access to the Axis Insurance IT infrastructure which includes, but not limited to, network
devices, network services, operating systems, applications, databases, data files should be
granted on the basis of business needs.
2. Access should be allowed on the basis of positive identification and positive authorization.
3. Any access to information systems should be denied by default and access permissions are
built, step by step, on a need to know basis or on the concept of least privileges.
4. Access to all data objects, fields, tables or any information shall be checked or validated for
authority.
5. Adequate segregation of duties or separation of privileges within systems should be
incorporated. This will ensure that authority is not focused on a single individual.

5.3.1 User Registration and Deregistration

1. Every staff, customer and third party, requiring access to the Axis Insurance IT
infrastructure, standalone systems and applications must have a unique user ID and a
personal secret password. This user ID and password will be required to establish positive
identification and authentication.
2. HR department is required to inform the IT Department with up-to-date and relevant
personnel details to ensure that the appropriate security controls are implemented in light
of this information.
3. The user who gains access to the system / application should read and understand the
Information Security policy and related policies before the logical access are granted. Non-
compliance with the policies will result in disciplinary action, which is dependent on the
nature and severity of the transgression.
4. The user registration should be approved by the Department Manager and the Head of
Technology after reviewing the business need for the access of the requesting user. The
approved request shall be submitted to the IT Department for user creation.
5. Each user account will have a unique user name that is not shared with any other user and
is associated with a specific individual i.e. not a role or job title. Generic user accounts i.e.
single account to be used by a group of people should not be created as they provide
insufficient allocation of responsibility.
6. The user should be deregistered or disabled when the access is no more needed. It is the
responsibility of the department manager / HR manager to notify IT department about the
change in the user status.
7. If the user accounts are kept disabled instead of deleting them, then these user accounts
shall not be reused.

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

5.3.2 User identification and Authentication

1. Users are accountable for all activities performed with their personal user IDs. User IDs
shall not be utilised by anyone other than the individuals to whom they have been issued
except for super administrator accounts.

2. All computers that connect to the Axis Insurance IT infrastructure must make use of
proper access controls that prohibit access to resources without proper authentication
procedures

3. Every authentication process for computers connected to the Axis Insurance IT

infrastructure must (wherever possible) include a notice warning against unauthorized
use and consequences thereof.

4. Users shall be provided with a unique User ID combined with a password for
authentication, as a minimum.

5. Users shall be provided with one ID per system or application with the appropriate
privileges mapped to carry out their day to day activities.

6. IT Administrators shall assign unique user identification to the authorized user upon
notification of access request approval.

5.3.3 Service Accounts

1. Service Accounts are user accounts used by applications to run a specific application. The
ownership and accountability of such user account should be with the application
custodian.

2. Service accounts shall not be used for performing activities other than the indented and
approved use. These accounts should not be used for individual user activities

3. Service accounts should follow the password policy. However, these accounts may be
exempted from the password expiry requirement, if it is required by the system.

4. Service accounts shall have access only to the systems and/or applications for which these
accounts are created.

5.3.4 User Authorization

1. All access requests to data and systems must be formally authorized. The access granted
shall follow the principles of least privilege, need to know and need to use.

2. Each user must be allocated access rights and permissions to computer systems and data
that are commensurate with the tasks they are expected to perform. In general this

Version 1.0 Restricted

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

should be role-based i.e. a user account will be added to a group that has been created
with the access permissions required by that job role.

3. Group roles should be maintained in line with business requirements and any changes to
them should be formally authorized and controlled via the change management process.

4. Ad-hoc additional permissions should not be granted to user accounts outside of the
group role; if such permissions are required this should be addressed as a change and
formally requested.

5. Any access requested by a contractor, temporary staff, or third parties must be authorized
by GM/AGM and must be for a limited period, with a defined end date and time. Such
access must be promptly disabled.

5.3.5 User logon process

1. The Log-on process must advise that access to Axis Insurance information is available to
authorized users only.

2. The Log-on process must not provide any information that would aid an unauthorized
user to successfully Log-on.

3. The unsuccessful Log-on attempts should be recorded and reviewed on a regular basis.

5.3.6 User Access Modifications

1. Access must be modified as required when employees move internally within Axis
Insurance or on vacation for more than 30 days

2. The IT Departments shall have the authority to disable accounts without reference if
necessary and in such cases; the IT department shall notify the IT Manager about the
change.

5.3.7 Administrator Access Modifications

1. Whenever a Systems, Application and/or Network Administrator leave the

team/department, steps must be taken to change all the administrative passwords of Axis
Insurance information systems which are under the custody of the staff. This should
include, but not limited to, the passwords of routers, switches, firewalls, servers,
databases and service accounts.

2. Modifications of a privileged user (administrator) account requires approvals from the

immediate manager.

Version 1.0 Restricted Page

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

5.3.8 Local Administrator Access

1. Local Administrator access to workstations shall be granted only when there is a

requirement. This elevated privilege shall be granted based on the approval from the
AGM/GM and will only be valid for a limited period of time.

5.3.9 Temporary Accounts

1. Third parties, Temporary staff or staff filling a temporary role shall use their own user
identification.

2. If a temporary account is used, the temporary account that is released for use must be for
a limited period with a predefined end date and time.

5.3.10 Third party access

1. Partner agencies or 3rd party suppliers must not be given details of how to access the
organization’s network without formal approvals from the IT Manager.

2. Access granted to third parties, which includes but not limited to vendors, contractors,
external auditors, etc… should have the supporting business documents which clearly
justify the business needs

3. Third party access must be for a limited period with a predefined end date and time.

4. Any changes to supplier’s connections (e.g. on termination of a contract) must be

immediately sent to the IT Department so that access can be updated or ceased. All
permissions and access methods must be controlled by the IT Department.

5. Partners or 3rd party suppliers must contact the IT on each occasion to request
permission to connect to the network and a log of activity must be maintained. Remote
access software and user accounts must be disabled when not in use.

6. All contracts with third party (such as vendors, contractors and partners) & third parties
shall include security requirements and clauses outlining the access requirements to
ABHNIC systems.

7. The procurement department and the ISO shall review and agree on any special
requirements related to providing access to vendors/consultants and ensure including
such requirements in the contracts/agreements. The ISO reserves the right to require
additional access controls to be applied in relation to any contract.

Version 1.0 Restricted Page

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

5.3.11 Automatic logoff

1. Systems, applications and other computing devices which stores, process or transmit
confidential information should employ inactivity timers or automatic logoff mechanisms.

2. Maximum allowed duration of the inactivity shall be defined based on the risk analysis of
the applications and systems

3. Screen lock mechanisms such as password protected screensavers should be

implemented in all workstations

4. Use of screen lock commands such as (CTRL+ALT+DELETE or LOCK Computer) shall be

performed when the user moves away from the computer (Workstation or Server)

5.3.12 Termination of Access

Axis Insurance must implement procedures to ensure that when a staff’s employment ends or
access need to be suspended.

1. The Employees’ Manager ensures that all such user accounts to access ended.

2. Any client user accounts used by the employee should be disabled or the account
password should be changed.

3. Codes or passwords for systems, equipment access passwords (routers and switches),
administrator passwords, and other common access control information should be
changed when appropriate.

4. Human Resources are promptly notified and the termination processed in accordance
with the separation checklist.

5. In exceptional circumstances where there is perceived to be a risk that the employee may
take action that may harm the organization prior to or upon termination, a request to
remove access may be approved and actioned in advance of notice of termination being
given. This precaution should especially apply in the case where the individual concerned
has privileged access rights e.g. domain admin.

5.3.13 Privileged User accounts

Privileged access rights such as those associated with administrator-level accounts must be
identified for each system or network and tightly controlled.

1. System / application administrators shall have a separate named user account for
administrator purpose and used only when the additional privileges are required. They
should use normal user accounts for their day-to-day operations.

2. Generic admin accounts should not be used as they provide insufficient identification of
the user.

Version 1.0 Restricted Page

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

3. Access to admin level permissions should only be allocated to individuals whose roles
require them and who have received sufficient training to understand the implications of
their use.

4. The use of user accounts with privileged access in automated routines such as batch or
interface jobs should be avoided where possible. Where this is unavoidable the password
used should be protected and changed on a regular basis.

5.3.14 Super Administrators

1. Super administrator user accounts, which are not required for regular usage, shall be
recorded in a secure manner. Procedures shall be established to ensure the accountability
of the usage of these accounts.

2. The password of the Super Administrator account should be known to a single person at
any given point of time

3. Existence of such accounts and the procedures to handle them needs to be approved by
the AGM.

5.3.15 Review of User Access Rights

On a regular basis (at least annually) asset and system owners will be required to review who has
access to their areas of responsibility and the level of access in place. This will be to identify:

• People who should not have access (e.g. leavers)

• User accounts with more access than required by the role
• User accounts with incorrect role allocations
• User accounts that do not provide adequate identification e.g. generic or shared accounts
• Any other issues that do not comply with this policy

The IT Manager on a quarterly basis to ensure that this policy is being complied with will carry out
a review of user accounts with privileged access.
IT Administrators on a regular basis shall disable user accounts that are inactive for a period of
<<maximum 90 days>>.
All privileged and administrators accounts shall be reviewed on a quarterly basis, and changes to
such accounts shall be logged for periodic review.

6 Policy Compliance, Enforcement and Violations

Violations of this policy and supporting policies shall result in the initiation of disciplinary process and
may result in warning letter / memo, further trainings (if required), termination of contract or
agreement or legal actions.

Version 1.0 Restricted Page

AIB-IS-POL-05 Clear Desk and Clear Screen Policy

If Users are unsure or not clear of anything in this policy, they should seek clarification or advice from
ISO. The ISO reserves the right to check the compliance of this policy on a periodic basis.
Any exceptions to this policy with valid business justification require approval from ISO on a case to case
basis.
The ISO in coordination with the Information Systems Owners, Business Processes Owners reserve the
right to review Users’ lists and ascertain the privileges granted.
The ISO reserves the right to review the use of high privilege ID’s at regular intervals.

7 References

Sr No. ADHICS Standard Control Name

1 AC 1 Access Control Policy

Version 1.0 Restricted Page