d The relevant department manager is responsible for approval of access and denial of access privileges, as indicated on the Employee Information Profile form and the Employee Departure
Trang 1e) Each server will have a log book that will be used to document any reported
problems or adverse
f) event observations made during visits to the server room by any IT staff
member or system administrator The log books are used to document
er-rors that are discovered outside routine monthly maintenance, and for any
configuration changes to each server or its key applications
g) The server log books will be reviewed annually by IT management
7) ATTACHMENT
a) Attachment IT-FR-003: “Generic Network Server Maintenance Electronic
Log Form”
System Account Management
GENERIC COMPANY, INC.
IT Documentation TITLE: SYSTEM ACCOUNT MANAGEMENT
1) PURPOSE
a) To define Generic’s procedures regarding user account management for the
Generic network
2) SCOPE
a) This procedure applies to the Generic computer system and administrative
and user accounts for use on that system
3) RESPONSIBILITIES
a) Generic’s IT department is responsible for preparation of this SOP
b) Generic’s IT department is responsible for administering the accounts for
the Generic computer system (i.e., system administrator)
c) Generic’s IT management is responsible for approving this procedure
d) The relevant department manager is responsible for approval of access
and denial of access privileges, as indicated on the Employee Information
Profile form and the Employee Departure form
e) The Controller or CFO is responsible for annually reviewing user access
within the accounting system
Trang 24) REFERENCES
a) Employee Information Profile form b) Employee Departure form
5) DEFINITIONS
a) User account: An account on a computer or network server that authenti-cates a user to access certain resources on the computer or network server b) Administrative account: An account on a computer or network server, similar to a user account, that authenticates the system’s administrator(s) and gives them system permissions necessary to administer the system c) Username: The plain-text readable name of the account being used
d) Password: A sequence of letters and/or numbers, determined by the user and known only to that user, that is used to confirm the user’s identity to the system
e) Log in: The act of providing a username and password to an authenticating computer system for the purpose of receiving system permission to access resources
f) Security groups: Collections of users grouped together to make the task of administering the system’s security easier and more logical
g) Secured resource: A resource located on a computer, such as a directory, file, or printer, which can be accessed or used only by accounts or groups authorized by the system administrator
h) Nonobvious password: A password that cannot be readily guessed by others Common password components to avoid include the user’s name
or any portion thereof; family member, friend, or pet names or any portion thereof; and any word, date, or number associated with the user and potentially known to others
i) Home directory: A private folder created for each user with a drive letter designation of H: This folder is for use by the system to hold system settings for that user, as well as for the user to store documents that are accessible only by that employee or the system administrators
6) PROCEDURES
a) Every individual who accesses the Generic computer system will be given a private account with which to access the system
b) When a new account is needed for access to the system (either by a new employee or any other party that needs to access the Generic computer system), an Employee Profile form will be generated for that account c) The completed form is signed by the responsible manager and submitted to the IT department
Trang 3d) Significant changes in privileges (such as when an employee moves to a
different job within the company) must be initiated by the completion of
a new Employee Information Profile form and signed by the responsible
manager
i) After the account is created, the Employee Information Profile form is
signed by the IT staff member who performed the changes
ii) Completed Employee Information Profile forms will be maintained by
the IT department
e) Accounts are created and maintained using standard administrative tools
on the system for which they are created For example, creating a Windows
network account uses the standard programs and procedures specified by
Microsoft, creating an accounting system account follows the procedures
outlined by its vendor, and so forth
f) Accounting system annual review
i) Once a year, the Controller or CFO will review all user accounts and
their access to accounting functions by reviewing a current printout of
user account information and menu security assignments prepared by
the IT department
ii) The Controller or CFO will note any changes needed to user group
assignment or menu security and will forward a list of changes to the
IT department
iii) The IT department will make the security changes in the accounting
system as indicated by the Controller or CFO
iv) If no changes are necessary, the printout of the user accounts and
their access to the accounting system menu functions will be signed
and dated by the Controller or CFO and retained as internal control
documentation
7) POLICY
a) The password policy for Generic is as follows:
i) For the Generic network:
(1) Must be no less than eight characters long
(2) Passwords must conform to the Microsoft Windows Network
password “complexity rules.” The complexity rules state that a
password must include at least one character from three of the four
following groups:
(i) Uppercase alpha (A–Z) (ii) Lowercase alpha (a–z)
(iii) Numeric (0–9)
(iv) Special characters (!@#$, etc.)
Trang 4(3) The system will force a password change once per year automatically Users may change their passwords more frequently if required or desired
(4) The system maintains a password history and will not allow users
to use the same password for five changes
(5) The system maintains an “account lockout policy” which will lock any account after eight invalid attempts within any 30-minute period The account can be unlocked only by an IT system administrator (6) Special logins and passwords are set for certain computers in the building These logins are restricted to be usable only from those computers, and are used for specific purposes (such as using a computer connected to a laboratory instrument, or using one of the presentation computers) These accounts are further secured with limited access to the network These accounts are not subject to the normal password policy settings, but instead use a password assigned
by the IT department, and those passwords are known to a number of employees and are not required to be changed
ii) For the accounting system:
(1) Accounting system accounts are secured with an accounting system-specific username and password
(2) The accounting system will force a password change every 90 days
on all of its accounts Users will be instructed to choose nonobvious passwords, although the accounting system has no facility to ensure the length or complexity of passwords
b) User responsibilities:
i) All users must not share their passwords or security codes with anyone, including with administrators of the system and their management ii) All users will make reasonable efforts to conceal their passwords or security codes
iii) All users will not ask others for the use of their password or security code iv) If users lose or forget their password, the administrator will assign a new, temporary password for them, and will set their account so that they are prompted to select a new private password at their first login
v) Each user is responsible for logging off, shutting down or locking his or her computer at the end of each business day
c) When a user leaves the company:
i) Human Resources and the appropriate supervisor will complete the Employee Departure form, indicating date of departure and any special considerations as specified in the form
Trang 5ii) In the case of a standard departure, Human Resources and will give
the completed Employee Departure form to the IT department The IT
department will disable all appropriate accounts and handle any special
considerations, as specified on the form, at the close of business on the
last day of employment for that employee
iii) In the case of a priority termination, all accounts held by the affected user
will be disabled immediately
iv) Upon completion of the termination and prior to the deletion of accounts
or data, the Special Considerations section of the form will be reviewed
to see if prior approval of deletions is required
v) Completed Employee Departure forms will be maintained by the IT
department
Change Control
GENERIC COMPANY, INC.
IT Documentation TITLE: Accounting System Change Control
1) PURPOSE
a) Sets forth policies relating to program or direct database changes to the
accounting system, its server, or its backup software used at Generic
b) Sets forth procedures to follow to request, review, approve, and test changes
to the accounting system, its server, or its backup software at Generic
2) SCOPE
a) This document applies to the accounting system installed at Generic’s
headquarters
3) RESPONSIBILITIES
a) The IT department is responsible for generation and annual review and
update of this document
b) The Controller or CFO is responsible for approving this document and any
subsequent changes
c) Each requestor of a change is responsible for completing a change request
form and submitting it to the IT department