Please use the latest version of a supported browser with JavaScript enabled: Got it - don't show me this again
| SUPPORTED MOBILE BROWSERS | |
|---|---|
| ANDROID AND IOS |
|
| ANDROID ONLY |
|
| IOS ONLY |
|
| WINDOWS 10 MOBILE |
|
| SUPPORTED DESKTOP BROWSERS | |
| WINDOWS AND MAC |
|
| MAC ONLY |
|
| WINDOWS ONLY |
|
| Classification | Public |
| Location | https://www.medcrowd.com/compliance/iso27001/policies/InformationAccess |
| Author | Paul Gardner |
| Approver | Felix Jackson |
| Approved | 14th December 2016 |
| Date | Author | Changes |
| 19th June 2023 | Paul Gardner | Periodic review |
| 6th June 2022 | Paul Gardner | Periodic review |
| 16th February 2021 | Paul Gardner | Periodic review |
| 12th February 2020 | Paul Gardner | Periodic review |
| 20th November 2019 | Paul Gardner | Repeated failures to authenticate will result in account suspension |
| 2nd May 2018 | Paul Gardner | Periodic review |
| 5th December 2016 | Paul Gardner |
Added restrictions to source code access Added section on privileged utility programs |
| 14th November 2016 | Paul Gardner |
Moved to the web |
| 31st May 2016 | Paul Gardner | State password complexity requirements |
| 17th May 2016 | Paul Gardner |
Change location of policy Shared accounts (e.g. Twitter) are now permitted where managed by IT and access is managed via Okta Removal of user accounts are now actioned within 1 business day |
| 29th July 2015 | Paul Gardner | Periodic review |
| 8th September 2014 | Paul Gardner | Rebranding |
| 30th June 2014 | Paul Gardner | Initial revision |
This policy is part of the medDigital ISMS and must be fully complied with.
Availability, confidentiality and integrity are fundamental aspects of information protection and are achieved through physical, logical and procedural control. It is vital that users who have access to information assets are aware of, and understand, how their actions may impact the security of that information.
Availability: Systems and information are physically secure and will be accessible to authorised persons when required.
Confidentiality: Systems and information will be protected against unauthorised access.
Integrity: The accuracy and completeness of systems and information are safeguarded.
This policy applies to every authorised user of systems and information belonging to, or under the control of, medDigital.
All employees and contractors must complete the medDigital Information Security training program and review the ISMS when they join the company and every January thereafter to ensure each individual is aware of their responsibilities in respect of information security.
The HR & User Management System (UMS) allows line managers to request new accounts and to submit requests to grant or revoke systems access. The UMS allows IT to produce audit reports on users, systems & physical assets for internal and external stakeholders.
When requesting access to any system that contains restricted or personal information, managers must provide justification giving consideration to the principle of least privilege. The business need, job function and role must be considered. Owners of these systems will need to agree to this access in the UMS before the request is routed to the administrators of the system to action.
The HR system will automatically submit termination requests in the UMS in the event of an employee or contractor no longer working for the company. IT are required to act on those termination requests within one business day.
Managers should review the access rights of their users every quarter. The UMS will prompt the manager by email when it is time to do so.
The UMS logs all activities and retains these logs indefinitely.
Active Directory credentials will be issued by IT directly to the new user. Users will be required to change their password at first login and this will be enforced by Group Policy. The storing of Active Directory credentials in either written or electronic form is prohibited.
The disclosure of credentials to any other person, including other employees/contractors, is prohibited.
Passwords must meet the following requirements:
Generic shared credentials are not permitted unless absolutely necessary (e.g. a third party service which does not support individual accounts).
Authentication can only be performed on devices provided by the Company.
If a user fails to authenticate with Active Directory 10 times within 30 minutes, the account will be suspended and the user will need to contact IT to manually unlock the account.
After authenticating, users should ensure that equipment is not left unattended and active sessions are terminated or locked as necessary. Where possible, this will be enforced by group policy.
Administrative access to systems & networks must be restricted to IT personnel and require multi-factor authentication.
Access to all source code must be restricted to IT personnel and require multi-factor authentication.
The use of utility programs which require root/administrator privileges to execute is prohibited.
medDigital will take appropriate measures to remedy any breach. In the case of an employee, the matter may be dealt with under the disciplinary process. In the case of a contractor, the matter may lead to legal action.
Paul Gardner is responsible for ensuring the availability of the UMS and for producing reports to satisfy audit requests.
Managers are responsible for submitting UMS requests in relation to the individuals they manage.
System Owners are responsible for approving or rejecting UMS requests giving consideration to the justification provided and the principle of least privilege.
System Administrators are responsible for actioning approved UMS requests.
Managers are responsible for reviewing systems access on a quarterly basis and revoking access where appropriate.
Individuals are responsible for choosing passwords that meet policy requirements and changing those passwords.
Paul Gardner is responsible for ensuring administrative access to systems, network and source code repositories requires multi-factor authentication.
Individuals have a responsibility to report incidents and breaches of policy as a matter of urgency via the Incident Reporting procedure.