POLICY Identity Access Management. Number: G 0900 Date Published: 18 February 2014

Transcription

1 1.0 Summary of Changes This policy has been amended to include the new form A666 Identity Access Management (IAM) Variation Form, Removal of Application Access. 2.0 About this Policy This document describes the Essex Police Identity Access Management Policy as approved by the IMPACT Programme Management Board and specifically relates to the Identity Access Management (IAM) managed services provided by Siemens Enterprise Communications and the Police ICT Company Directorate (formerly the NPIA). The Head of Information Management will be the designated IAM system owner. 3.0 General Principles IAM is a general term used for software, services and organisational structures that create and manage identities, for people or systems, and control and record access to information systems. The general principles are: Formal sponsorship of applicant by business sponsor; Formal identification and approval of applicant by business approver; Registration of approved applicant by IAM registrar; Approval of a registered applicants IAM identity by IAM approver; Assignment of approved system(s) access and role(s) by IAM registrar; Approval of provisioned system(s) access and assigned role(s); The issuance and management of identity credentials (username and password or smartcard and PIN); The maintenance of approved user identities, e.g. changes of name; Maintenance of an identities status (active, deactive or terminated); The transfer of ownership of IAM identities between IAM organisations. Detailed information regarding the IAM Managed and Central Services is published on the College of Policing POLKA website which shall be treated as the definitive primary source for IAM related matters and guidance. It is recommended that all IAM administrators familiarise themselves with the IAM Guide. Page 1 of 9

2 4.0 Statement of Policy 4.1 Identity Access Management Processes The IAM process has two distinct areas as follows: The management of IAM identities to egif L3 standard, this is the responsibility of the force HR/Business Centre. The main responsibilities are as follows: o The creation of identities to egif L3 standard; o The maintenance of identities to egif L3 standard; o The maintenance of an identities status; o The transfer of identities between forces and other agencies. The provisioning of applications access, this is the responsibility if the IT applications provisioning team. The main responsibilities are as follows: o The provisioning of applications; o The provisioning of roles within provisioned applications; o The provisioning and management of user names, passwords; o The provisioning and management of user smartcards Confidential Environment The IAM MS application is hosted on a confidential (Impact Level 4) network and as such can only be accessed via workstations located in an approved location. All requests for an IAM MS workstation must be approved by the Force Information Security Officer prior to installation. Relocation of the approved workstation within or outside of the approved location shall also be approved by the Force Information Security Officer prior to relocation IAM User Identity Registration All applicants are required to complete form A651 - IAM User Registration and agree to the terms of the IAM Managed Service Issuing Authority End-entity Agreement. The purpose of this form is to ensure that all applicants meet and understand the following: The person has a confirmed business need; The person is adequately identified to egif level 3; The person is appropriately security cleared; The person agrees to the terms and conditions of IAM Managed Service Issuing Authority IAM Device Registration An IAM device is typically any IT hardware that makes a connection to the IAM MS, e.g. a server for uploading force system data to an IAM secured application. Page 2 of 9

3 All applications for an IAM device identity registration shall be made using the national form available on College of Policing POLKA website Applicant Business Sponsors and Approvers All applicants shall have their application signed by a business sponsor and a business approver. An applicant s business sponsor and business approver cannot be the same person. The business sponsor and/or approver cannot undertake an IAM administration role for an application where they are a business sponsor/approver: Business sponsor: Usually the applicant s line manager or their delegate. However in the case of a new or transferring employee a Human Resources Assistant (HRA) may act as the business sponsor; Business Approver: Usually the applicant s unit manager or their delegate. However in the case of a new or transferring employee a Human Resources Business Partner (HRBP) may act as the business approver Identity Verification Business approvers are required to verify the identity of IAM applicants by completing the Business Approver declaration that the evidence presented conforms to the requirements as stated within form A651 - IAM User Registration Form. It is not mandatory for any identification evidence to be retained with the completed IAM User Registration Form. Once the business approver has completed the declaration the evidence may be retained by the applicant Vetting Requirements All applicants, including non-police personnel, requiring an IAM identity shall be vetted to at least the minimum standard required by the force for permanent or temporary employment. IAM registration cannot be initiated until the appropriate vetting level and the effective dates are confirmed by the corporate vetting unit. All IAM administration roles are designated posts and require vetting to Management Vetting (MV) level as per the force vetting policy IAM Identity Amendments All amendments to an IAM identity shall be formally approved by the completion of form A652 - IAM User Variation Form and approved by an appropriate business sponsor. Page 3 of 9

4 4.1.8 Transference of IAM Identities between IAM Organisations IAM identities have one unique national IAM identity. If an IAM user is transferring to or leaving to join another police force or IAM managed service organisation their identity registration shall be transferred to their new employer. All transfers shall be formally requested and approved by the completion of form A652 - IAM User Variation Form and approved by an appropriate sponsor. 4.2 Provisioning of IAM Secured National Application Request for, Access to or Removal of, IAM Secured Applications All requests for access to IAM secured applications shall be made using the relevant IAM Secured National IT Application Request form Applicant Business Sponsors and Approvers All applicants shall have their application counter signed by a business sponsor and a business approver. An applicant s business sponsor and business approver cannot be the same person. The business sponsor and/or approver cannot undertake an IAM administration role for an application where they are a business sponsor/approve: Business sponsor: Usually the applicant s line manager or their delegate; Business Approver: Usually the applicant s unit manager or their delegate Vetting Requirements All applicants, including non-police personnel, requiring access to IAM secured national IT applications shall be vetted to a level appropriate to the application(s) and/or role(s) requested prior to the application(s) and/or role(s) being provisioned. All IAM and SUN IDM administration roles are designated posts and require vetting to Management Vetting (MV) level as per the Force Vetting Policy Training All applicants, including non-police personnel, requiring access to IAM secured national IT applications shall be trained to a level appropriate to the application(s) and/or role(s) requested prior to the application(s) and/or role(s) being provisioned. Confirmation of the successful completion of any training for the requested application(s) and/or role(s) will be required prior to provisioning of the application(s) and/or role(s). Page 4 of 9

5 4.2.5 Smartcard Issuance The issuance of smartcards for access to Impact Level 4 (CONFIDENTIAL) applications shall be face-to-face. All recipients of smartcards shall complete a smartcard liability declaration (form A656) prior to issuance of the smartcard Confidential Environment All users of IAM nationally secured applications shall be sited in an environment appropriate to the requested applications rating, e.g. Impact Level 3 (RESTRICTED) or Impact Level 4 (CONFIDENTIAL). All requests for access to Impact Level 4 (CONFIDENTIAL) applications shall be approved by the force Information Security Officer or their delegate prior to provisioning of the application(s) Documentation Storage and Retention All completed IAM documentation and any retained evidence shall be stored within the applicants HR file as either a hard copy (paper) or a scanned file (electronic). The original documentation may be destroyed once a scanned file (electronic) exists. All IAM documentation (paper or electronic) shall be retained for audit purposes, for the duration of an identities employment and thereafter for a minimum of three years. 4.3 Responsibilities Separation of Duties It is important when assigning individuals to the roles listed below that separations of duties requirements are met. In the case of IAM, one person will initiate the action, but it will not take effect until a second person, the "approver", has examined it, and if it is valid, given approval. An approver takes responsibility for the action he or she approves and will be held accountable for errors, omissions or irregularities. The adherence to separation of duties is an auditable requirement. The separation of duties matrix can be found in the IAM Guide, section 6.1 on the College of Policing POLKA website Business Sponsor The role sponsoring the user s application, typically the users immediate line manager but may be a Human Resources Assistant. Responsibilities include: Identification of the user who has a business need to access IAM secured applications; Sign the document IAM Registration Form ; Page 5 of 9

6 Confirm that all prerequisite training has been completed; Inform the IAM registrar if a user no longer requires access to an IAM secured national application Business Approver The role approving the user s application, the business sponsor and business approver cannot be the same person. Typically the business sponsors immediate line manager but may be a Human Resources Business Partner. Responsibilities include: Verify and validate the user identity; Approve a new user registration; Approve changes to be made by the identity registrar; Approve the suspension, termination or reactivation of a user; Escalate any issues during the approval process to business sponsor Identity Registrar (Business Centre) The role responsible for creating and managing user identities within the IAM managed service, typically fulfilled by a Business Centre Administrator. Responsibilities include: Ensuring that the document IAM Registration Form has been fully completed; Create the identity in the IAM CS identity directory for the user; Modify the user record in the IAM identity directory; Escalate any issues to business approver Identity Approver (Business Centre) The role responsible for approving user identities created by the identity registrar and typically fulfilled by a Business Centre Team Leader. Responsibilities include: Making sure that the information that has been entered is correct and in alignment with the documentation; Formally approve the user identity; Escalate any issues to the Identity Registrar Identity Registrar (IT Applications) The role responsible for provisioning applications and application roles within the IAM managed service, typically fulfilled by an IT administrator. Responsibilities include: Ensuring that the document IAM Secured National IT Application Request has been completed correctly; To provision the approved applications and roles; Page 6 of 9

7 Create and maintain user names/passwords and request smartcards; Escalate any issues to business approver Identity Approver (IT Applications) The role responsible for approving provisioned applications and application roles within the IAM managed service, typically fulfilled by an IT administrator. Responsibilities include: Making sure that the information that has been entered is correct and in alignment with the documentation; To approve/deny the requested applications; To approve/deny requests for smartcards; Escalate any issues to the Identity Registrar Card Approver (IT Applications) The role responsible for approving the issuance of a smart card to a user; typically fulfilled by an IT administrator. Responsibilities include: Approving/denying request for smartcards; Escalate any issues to Business Approver Card Issuer The role responsible for physically printing and issuing a smart card to a user; typically fulfilled by an IT administrator. Responsibilities include: Verify the identity of the user prior to smartcard issuance; Assist the user in testing the issued card and confirming that it can be used to access national applications; Issuing smartcards; Verify that the user has signed the IAM Managed Service Issuing Authority Endentity Agreement; Verify that the user has signed form A656 - Essex Police Smart Card (Device) Security Personal Liability Form; To unlock smartcards if the user is unable to use the self-service option; The termination of smartcards as requested. 5.0 Implications of the Policy 5.1 Financial Implications Siemens PLC apply an annual charge for the issuance of each IL4 Confidential (smartcard) credential. Therefore the on-going need for each IL4 credential shall be reviewed annually to ensure the cost impact to the force is minimised. Page 7 of 9

8 Essex Police may incur annual charges for the registration and maintenance of partner agency identities. 5.2 Staffing and Training All IAM administrators are required to complete CBT packages in relation to Data Protection, Information Security and Protective Marking that are available via the Information Management website Non-Essex Police Personnel Non-Essex police personnel requiring access to IAM protected applications shall complete form A651 - IAM application form. Their IAM sponsor and approver, who cannot be the same person, must be permanent Essex Police employees. Prior to the provisioning of any IAM protected application(s) for non-essex Police Personnel Information Management shall confirm that a valid information sharing agreement exists and has been published on the force library of agreements. 5.3 Risk Assessments The Corporate Risk Register contains a risk for Information Security. 5.4 Consultation Information Technology Department; Human Resources Department; Business Centre; Information Security; Finance Department Police ICT Company, Home Office 6.0 Monitoring/Review This policy will be reviewed by or on behalf of the Head of Information Management within three years from the date of publication to ensure it remains accurate and fit for purpose. 7.0 Related Policies and Information Sources 7.1 Related Procedures G 0901 Procedure - Identity Access Management, Use of G 0902 Procedure - SUN Identity Management, Use of Page 8 of 9

9 7.2 Related Policies G 0800 Policy - Information Management D 2300 Policy - Police National Database (PND) 7.3 Other Source Documents Identity Access Management, IAM Guide (referenced and published on the College of Policing POLKA website. 7.4 Related Forms Form A651 Identity Access Management (IAM) Registration Form Form A652 Identity Access Management (IAM) Variation Form Form A656 IAM Smart Card (Device) Security Personal Liability Form Form A666 Identity Access Management (IAM) Variation Form, Removal of Application Access 7.5 Glossary egif HRA HRBP IAM IAM MS PIN PND POLKA SUN IDM e-government Interoperability Framework Human Resources Assistant Human Resources Business Partner Identity Access Management Identity Access Management, Managed Service Personal Identification Number Police National Database Police Online Knowledge Area (Owned by the College of Policing) Sun Micro Systems, Identity Manager Page 9 of 9