POLICY Identity Access Management. Number: G 0900 Date Published: 18 February 2014



Similar documents
GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

NHS Business Services Authority Registration Authority and Smartcard Management Procedure

Account Management Standards

Eskom Registration Authority Charter

Ericsson Group Certificate Value Statement

TELSTRA RSS CA Subscriber Agreement (SA)

MyLLP Customer Portal User Guide Registration

Class 3 Registration Authority Charter

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Access Control Policy

Transnet Registration Authority Charter

Policy Document Control Page

CREDIT CARD POLICY AND PROCEDURES

Information Governance Strategy :

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

Certification Practice Statement

ISO 9001:2008 Internal Audit Guidance

Justice Management Division

CONTRACT MANAGEMENT POLICY

Certification Practice Statement (ANZ PKI)

INFORMATION GOVERNANCE POLICY

ULH-IM&T-ISP06. Information Governance Board

Job Description. Job Title: Department: ICT Service Support Manager Responsible to:

REGIONAL CENTRE EUROPE OF THE INTERNATIONAL FEDERATION OF TRANSLATORS

Highland Council Information Security Policy

INFORMATION GOVERNANCE POLICY

Operations. Group Standard. Business Operations process forms the core of all our business activities

ISO 14001:2004 EMS Internal Audit Guidance

G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

Information security controls. Briefing for clients on Experian information security controls

Data Governance Policy. Version October 2015

Human Resources Policy No. HR46

Information Management Policy

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Lloyd s approved coverholder application Form guidance notes

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

Centrify Server Suite Health Check

Alberta Health Services Identity & Access Management (IAM) Alberta Netcare Access Request Process User Reference Guide

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Service Level Agreement for the Introduction of Permanent and/or Fixed Term Contract Staff

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Integrity & Data Management

Tasmanian Government Identity and Access Management Toolkit

Neutralus Certification Practices Statement

QUALITY ASSESSMENT & IMPROVEMENT. Workforce ACUTE HOSPITAL SERVICES. Supporting services to deliver quality healthcare JUNE 2013

Rotherham CCG Network Security Policy V2.0

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Knowles Associates Total Fleet Management Ltd. Website E- Expenses and Greyfleet Registration, Additional Jobs, Expenses and Mileage

Peninsula Community Health. Integrated Identity Management Policy (Registration Authority Policy)

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Security Annex for 2FA Additional Terms for Two Factor Authentication Service

1.1 Terms of Reference Y P N Comments/Areas for Improvement

Presentation to House Committee on Technology: HHS System Identity & Access Management

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

ICT USER ACCOUNT MANAGEMENT POLICY

Information Security and Governance Policy

LONDON STOCK EXCHANGE ACCREDITATION POLICY FOR SOFTWARE HOUSES

HKUST CA. Certification Practice Statement

ONSITE TRACK EASY Yancoal Contractor Management Portal Portal User Guide: Company Registration. Yancoalcontractors.com.

Network Security & Connection Policy

Certification Regulations and Requirements. International Certification Management GmbH

PRIVATE SECTOR ESSENTIAL EMPLOYEE REGISTRATION PROJECT POLICY AND PROCEDURES GUIDELINES

Information Security Policy

The Benefits of an Industry Standard Platform for Enterprise Sign-On

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Cloud Computing Security Considerations

Apache Syncope OpenSource IdM

Information Technology Policy

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Polish Financial Supervision Authority. Guidelines

Spillemyndigheden s change management programme. Version of 1 July 2012

Statoil Policy Disclosure Statement

Identity Management for Interoperable Health Information Exchanges

Controls should be appropriate to the scale of the assets at risk and the potential loss to the University.

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

RECORDS MANAGEMENT POLICY

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Information Security Assurance Plan 2015/16

University of Brighton School and Departmental Information Security Policy

Regulations for certification of quality management systems

Transcription:

1.0 Summary of Changes This policy has been amended to include the new form A666 Identity Access Management (IAM) Variation Form, Removal of Application Access. 2.0 About this Policy This document describes the Essex Police Identity Access Management Policy as approved by the IMPACT Programme Management Board and specifically relates to the Identity Access Management (IAM) managed services provided by Siemens Enterprise Communications and the Police ICT Company Directorate (formerly the NPIA). The Head of Information Management will be the designated IAM system owner. 3.0 General Principles IAM is a general term used for software, services and organisational structures that create and manage identities, for people or systems, and control and record access to information systems. The general principles are: Formal sponsorship of applicant by business sponsor; Formal identification and approval of applicant by business approver; Registration of approved applicant by IAM registrar; Approval of a registered applicants IAM identity by IAM approver; Assignment of approved system(s) access and role(s) by IAM registrar; Approval of provisioned system(s) access and assigned role(s); The issuance and management of identity credentials (username and password or smartcard and PIN); The maintenance of approved user identities, e.g. changes of name; Maintenance of an identities status (active, deactive or terminated); The transfer of ownership of IAM identities between IAM organisations. Detailed information regarding the IAM Managed and Central Services is published on the College of Policing POLKA website which shall be treated as the definitive primary source for IAM related matters and guidance. It is recommended that all IAM administrators familiarise themselves with the IAM Guide. Page 1 of 9

4.0 Statement of Policy 4.1 Identity Access Management Processes The IAM process has two distinct areas as follows: The management of IAM identities to egif L3 standard, this is the responsibility of the force HR/Business Centre. The main responsibilities are as follows: o The creation of identities to egif L3 standard; o The maintenance of identities to egif L3 standard; o The maintenance of an identities status; o The transfer of identities between forces and other agencies. The provisioning of applications access, this is the responsibility if the IT applications provisioning team. The main responsibilities are as follows: o The provisioning of applications; o The provisioning of roles within provisioned applications; o The provisioning and management of user names, passwords; o The provisioning and management of user smartcards. 4.1.1 Confidential Environment The IAM MS application is hosted on a confidential (Impact Level 4) network and as such can only be accessed via workstations located in an approved location. All requests for an IAM MS workstation must be approved by the Force Information Security Officer prior to installation. Relocation of the approved workstation within or outside of the approved location shall also be approved by the Force Information Security Officer prior to relocation. 4.1.2 IAM User Identity Registration All applicants are required to complete form A651 - IAM User Registration and agree to the terms of the IAM Managed Service Issuing Authority End-entity Agreement. The purpose of this form is to ensure that all applicants meet and understand the following: The person has a confirmed business need; The person is adequately identified to egif level 3; The person is appropriately security cleared; The person agrees to the terms and conditions of IAM Managed Service Issuing Authority. 4.1.3 IAM Device Registration An IAM device is typically any IT hardware that makes a connection to the IAM MS, e.g. a server for uploading force system data to an IAM secured application. Page 2 of 9

All applications for an IAM device identity registration shall be made using the national form available on College of Policing POLKA website. 4.1.4 Applicant Business Sponsors and Approvers All applicants shall have their application signed by a business sponsor and a business approver. An applicant s business sponsor and business approver cannot be the same person. The business sponsor and/or approver cannot undertake an IAM administration role for an application where they are a business sponsor/approver: Business sponsor: Usually the applicant s line manager or their delegate. However in the case of a new or transferring employee a Human Resources Assistant (HRA) may act as the business sponsor; Business Approver: Usually the applicant s unit manager or their delegate. However in the case of a new or transferring employee a Human Resources Business Partner (HRBP) may act as the business approver. 4.1.5 Identity Verification Business approvers are required to verify the identity of IAM applicants by completing the Business Approver declaration that the evidence presented conforms to the requirements as stated within form A651 - IAM User Registration Form. It is not mandatory for any identification evidence to be retained with the completed IAM User Registration Form. Once the business approver has completed the declaration the evidence may be retained by the applicant. 4.1.6 Vetting Requirements All applicants, including non-police personnel, requiring an IAM identity shall be vetted to at least the minimum standard required by the force for permanent or temporary employment. IAM registration cannot be initiated until the appropriate vetting level and the effective dates are confirmed by the corporate vetting unit. All IAM administration roles are designated posts and require vetting to Management Vetting (MV) level as per the force vetting policy. 4.1.7 IAM Identity Amendments All amendments to an IAM identity shall be formally approved by the completion of form A652 - IAM User Variation Form and approved by an appropriate business sponsor. Page 3 of 9

4.1.8 Transference of IAM Identities between IAM Organisations IAM identities have one unique national IAM identity. If an IAM user is transferring to or leaving to join another police force or IAM managed service organisation their identity registration shall be transferred to their new employer. All transfers shall be formally requested and approved by the completion of form A652 - IAM User Variation Form and approved by an appropriate sponsor. 4.2 Provisioning of IAM Secured National Application 4.2.1 Request for, Access to or Removal of, IAM Secured Applications All requests for access to IAM secured applications shall be made using the relevant IAM Secured National IT Application Request form. 4.2.2 Applicant Business Sponsors and Approvers All applicants shall have their application counter signed by a business sponsor and a business approver. An applicant s business sponsor and business approver cannot be the same person. The business sponsor and/or approver cannot undertake an IAM administration role for an application where they are a business sponsor/approve: Business sponsor: Usually the applicant s line manager or their delegate; Business Approver: Usually the applicant s unit manager or their delegate. 4.2.3 Vetting Requirements All applicants, including non-police personnel, requiring access to IAM secured national IT applications shall be vetted to a level appropriate to the application(s) and/or role(s) requested prior to the application(s) and/or role(s) being provisioned. All IAM and SUN IDM administration roles are designated posts and require vetting to Management Vetting (MV) level as per the Force Vetting Policy. 4.2.4 Training All applicants, including non-police personnel, requiring access to IAM secured national IT applications shall be trained to a level appropriate to the application(s) and/or role(s) requested prior to the application(s) and/or role(s) being provisioned. Confirmation of the successful completion of any training for the requested application(s) and/or role(s) will be required prior to provisioning of the application(s) and/or role(s). Page 4 of 9

4.2.5 Smartcard Issuance The issuance of smartcards for access to Impact Level 4 (CONFIDENTIAL) applications shall be face-to-face. All recipients of smartcards shall complete a smartcard liability declaration (form A656) prior to issuance of the smartcard. 4.2.6 Confidential Environment All users of IAM nationally secured applications shall be sited in an environment appropriate to the requested applications rating, e.g. Impact Level 3 (RESTRICTED) or Impact Level 4 (CONFIDENTIAL). All requests for access to Impact Level 4 (CONFIDENTIAL) applications shall be approved by the force Information Security Officer or their delegate prior to provisioning of the application(s). 4.2.7 Documentation Storage and Retention All completed IAM documentation and any retained evidence shall be stored within the applicants HR file as either a hard copy (paper) or a scanned file (electronic). The original documentation may be destroyed once a scanned file (electronic) exists. All IAM documentation (paper or electronic) shall be retained for audit purposes, for the duration of an identities employment and thereafter for a minimum of three years. 4.3 Responsibilities 4.3.1 Separation of Duties It is important when assigning individuals to the roles listed below that separations of duties requirements are met. In the case of IAM, one person will initiate the action, but it will not take effect until a second person, the "approver", has examined it, and if it is valid, given approval. An approver takes responsibility for the action he or she approves and will be held accountable for errors, omissions or irregularities. The adherence to separation of duties is an auditable requirement. The separation of duties matrix can be found in the IAM Guide, section 6.1 on the College of Policing POLKA website. 4.3.2 Business Sponsor The role sponsoring the user s application, typically the users immediate line manager but may be a Human Resources Assistant. Responsibilities include: Identification of the user who has a business need to access IAM secured applications; Sign the document IAM Registration Form ; Page 5 of 9

Confirm that all prerequisite training has been completed; Inform the IAM registrar if a user no longer requires access to an IAM secured national application. 4.3.3 Business Approver The role approving the user s application, the business sponsor and business approver cannot be the same person. Typically the business sponsors immediate line manager but may be a Human Resources Business Partner. Responsibilities include: Verify and validate the user identity; Approve a new user registration; Approve changes to be made by the identity registrar; Approve the suspension, termination or reactivation of a user; Escalate any issues during the approval process to business sponsor. 4.3.4 Identity Registrar (Business Centre) The role responsible for creating and managing user identities within the IAM managed service, typically fulfilled by a Business Centre Administrator. Responsibilities include: Ensuring that the document IAM Registration Form has been fully completed; Create the identity in the IAM CS identity directory for the user; Modify the user record in the IAM identity directory; Escalate any issues to business approver. 4.3.5 Identity Approver (Business Centre) The role responsible for approving user identities created by the identity registrar and typically fulfilled by a Business Centre Team Leader. Responsibilities include: Making sure that the information that has been entered is correct and in alignment with the documentation; Formally approve the user identity; Escalate any issues to the Identity Registrar. 4.3.6 Identity Registrar (IT Applications) The role responsible for provisioning applications and application roles within the IAM managed service, typically fulfilled by an IT administrator. Responsibilities include: Ensuring that the document IAM Secured National IT Application Request has been completed correctly; To provision the approved applications and roles; Page 6 of 9

Create and maintain user names/passwords and request smartcards; Escalate any issues to business approver. 4.3.7 Identity Approver (IT Applications) The role responsible for approving provisioned applications and application roles within the IAM managed service, typically fulfilled by an IT administrator. Responsibilities include: Making sure that the information that has been entered is correct and in alignment with the documentation; To approve/deny the requested applications; To approve/deny requests for smartcards; Escalate any issues to the Identity Registrar. 4.3.8 Card Approver (IT Applications) The role responsible for approving the issuance of a smart card to a user; typically fulfilled by an IT administrator. Responsibilities include: Approving/denying request for smartcards; Escalate any issues to Business Approver. 4.3.9 Card Issuer The role responsible for physically printing and issuing a smart card to a user; typically fulfilled by an IT administrator. Responsibilities include: Verify the identity of the user prior to smartcard issuance; Assist the user in testing the issued card and confirming that it can be used to access national applications; Issuing smartcards; Verify that the user has signed the IAM Managed Service Issuing Authority Endentity Agreement; Verify that the user has signed form A656 - Essex Police Smart Card (Device) Security Personal Liability Form; To unlock smartcards if the user is unable to use the self-service option; The termination of smartcards as requested. 5.0 Implications of the Policy 5.1 Financial Implications Siemens PLC apply an annual charge for the issuance of each IL4 Confidential (smartcard) credential. Therefore the on-going need for each IL4 credential shall be reviewed annually to ensure the cost impact to the force is minimised. Page 7 of 9

Essex Police may incur annual charges for the registration and maintenance of partner agency identities. 5.2 Staffing and Training All IAM administrators are required to complete CBT packages in relation to Data Protection, Information Security and Protective Marking that are available via the Information Management website. 5.2.1 Non-Essex Police Personnel Non-Essex police personnel requiring access to IAM protected applications shall complete form A651 - IAM application form. Their IAM sponsor and approver, who cannot be the same person, must be permanent Essex Police employees. Prior to the provisioning of any IAM protected application(s) for non-essex Police Personnel Information Management shall confirm that a valid information sharing agreement exists and has been published on the force library of agreements. 5.3 Risk Assessments The Corporate Risk Register contains a risk for Information Security. 5.4 Consultation Information Technology Department; Human Resources Department; Business Centre; Information Security; Finance Department Police ICT Company, Home Office 6.0 Monitoring/Review This policy will be reviewed by or on behalf of the Head of Information Management within three years from the date of publication to ensure it remains accurate and fit for purpose. 7.0 Related Policies and Information Sources 7.1 Related Procedures G 0901 Procedure - Identity Access Management, Use of G 0902 Procedure - SUN Identity Management, Use of Page 8 of 9

7.2 Related Policies G 0800 Policy - Information Management D 2300 Policy - Police National Database (PND) 7.3 Other Source Documents Identity Access Management, IAM Guide (referenced and published on the College of Policing POLKA website. 7.4 Related Forms Form A651 Identity Access Management (IAM) Registration Form Form A652 Identity Access Management (IAM) Variation Form Form A656 IAM Smart Card (Device) Security Personal Liability Form Form A666 Identity Access Management (IAM) Variation Form, Removal of Application Access 7.5 Glossary egif HRA HRBP IAM IAM MS PIN PND POLKA SUN IDM e-government Interoperability Framework Human Resources Assistant Human Resources Business Partner Identity Access Management Identity Access Management, Managed Service Personal Identification Number Police National Database Police Online Knowledge Area (Owned by the College of Policing) Sun Micro Systems, Identity Manager Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information