fbpx

Production System Access

Production System Access

Correcting and Preventing Defects
Download Now!

Purpose

The purpose of this policy is to define proper controls to production systems and applications. This policy also ensures that any changes made to the production system are documented.

Background

Limiting access to production systems and applications is a significant aspect of security and integrity of the [enter-your-company-name-here] computing resources. Unrestricted access to production systems and applications could adversely impact [enter-your-company-name-here]’s business and financial’s.

For this reason, access to production systems and applications is strictly controlled.

Scope

The scope of this policy applies to non-end users who have access to [enter-your-company-name-here]’s internal production systems and applications.

Definitions

  • Technology Resources – [enter-your-company-name-here]’s technology resources comprise of computing, networking, and software applications that can be accessed by authorised [enter-your-company-name-here] users.
  • User – For the purposes of all Information Security Policies, a user is defined as anyone with authorised access to [enter-your-company-name-here]’s technology resources including permanent and temporary employees or third party personnel such as contractors, consultants, and other parties with valid [enter-your-company-name-here] access accounts.

Procedure

Section 1        Roles and Responsibilities

The roles and responsibilities for enforcing production access, disseminating and updating account access information, and implementing any change requests are described below.

NOTE: Individuals may have permissions or functions that differ between production systems or applications. The roles listed below identify respective responsibilities as it pertains to job functions.

Production Support

Production Support at [enter-your-company-name-here] includes the following elements:

  • The Network Operations Center (NOC);
  • Elements of the IT Operations Group whose primary responsibility is production support;
  • Elements of the IT Applications Group whose primary responsibility is production support.

Production Support is responsible for monitoring and maintaining all production systems and networks.

Accounts Administrator

The Accounts Administrator ensures that all properly requested changes to user accounts are carried out in an appropriate and timely manner, and that all the required procedures are followed.

Administrator

An Administrator is anyone designated by [enter-your-company-name-here]’s IT Management that may have controlling access to some facets of the operating system, databases, application-platforms, or applications for which they are responsible.

Administrators are responsible for ensuring that user access to sensitive settings or data is restricted to authorised activity levels and for ensuring that security of the data and integrity of the application is maintained at all times.

Developer

Developers, including Business System Analysts, develop code or operations to be run on a production system and may have some production access.

Business Owner

The Business Owner provides approvals and reviews of access on a periodic basis for their area of ownership.

Information Security Services

Information Security Services (ISS) is responsible for the enforcement and compliance of this and related policies having to do with maintaining a secure network and protecting sensitive data. ISS is also responsible for reviewing authorisation processes and auditing production systems access on a regular basis.

Quality Assurance (QA) – Change Management

QA – Change Management is responsible for reviewing and obtaining approval for all production changes.

Section 2        Production Systems

Production systems are systems or applications that provide [enter-your-company-name-here] business functionality. They may contain or process [enter-your-company-name-here] data or deliver the functionality required to run the business.

Production systems also include systems that support the production environment such as:

  • Network Equipment;
  • Authentication Systems;
  • Monitoring Tools;
  • Back-up Systems;
  • File Servers;
  • Remote Terminal Services.

Section 3        General Policies

From a permissions standpoint, [enter-your-company-name-here] systems must adhere to a principle of “least privilege” such that authorised users will not have access beyond the permissions required to perform their authorised job functions.

System-level accounts must not be used unless the user cannot perform the action/function under their normal privileges. Privileges must be elevated only as long as needed. For example, if a user does not need the root access privilege in UNIX to perform a function, the user should use their normal system ID.

Production access activity covered by the scope of this policy must be logged.

Changes or modifications may include, but are not limited to:

  • Editing configuration files;
  • Deleting or modifying production data;
  • Modifying batch processes.

Section 4        Exceptions

Requests for policy exceptions must have a valid business justification. The exception must be documented and approved by the system owner or department manager. Information Security Services will evaluate, approve and store exception requests.

NOTE: Each exception request must be justified, documented, and approved separately. ISS maintains the right to deny any exception from this policy.

Section 5        Enforcement

Network activities may be monitored and logged to ensure compliance with the rules established in this and other ISS policies, procedures, standards, and guidelines.

Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, or legal action as appropriate, or both. No provision of this policy will alter the at-will nature of the employment relationship at [enter-your-company-name-here].

Section 6        Policy Update and Notification

[enter-your-company-name-here] reserves the right to revise the conditions of this policy at any time by giving notice. Users are responsible for understanding or seeking clarification of any rules outlined in this document and for familiarising themselves with the most current version of this policy.