POLÍTICA DE CONTROL DE ACCESO TÉCNICO

 

IT-DOC-12

Versión: 2

Fecha de creación: 15/03/2021

Fecha de actualización: 11/05/2026

 

 

 

Table of Contents

 

1.  Scope 

2.  Defintions 

3.  Access control policy

3.1. DEVICE ACCESS 

3.2. general User Accounts 

3.3. Granting and revoking access 

3.4. Authentication  

3.5. Remote access 

4.   Active directory & server access 

Privileged Access 

4.1.  Domain Administrator Accounts 

4.2.  Local Administrator Accounts Groups 

4.3.  Groups – Privileged Access 

4.4.  Service Accounts 

4.5.  APPLICATION DEVELOPERS 

4.6.  desktop administrators 

4.7.  USE OF TOOLS AND UTILITY PROGRAMS 

4.8.  System Accounts 

4.9.  cloud console Access 

5. Roles and Responsibilities 

6. Non-Compliance 

 

 

 

1. Scope

The scope of this policy applies to MSC Colombia Local servers Accounts.

 

General Accounts

  • Login Authentication Controls
  • Remote Access;
  • Device Access

 

Privileged Accounts – Domain Admins

  • Service Accounts; Generic Account
  • Critical Tools - Password Repository; Microsoft Information Manager
  • Network Appliances and Firewalls
  • Device Access

2. Defintions

  • Privileged Accounts – Can alter system settings, data, user accounts or configurations
  • Service Accounts – Accounts used by applications to run automated tasks
  • Network Appliances – Firewall, Intrusion Detection/Prevention, and perimeter devices

 

3. Access control policy

This policy governs the security for user access, both regular and privileged, within the MSC Colombia environment.   Segregation of Duties and "Least Privilege Principle" guidelines are considered when granting logical access, which ensures permissions are limited to essential job functions. 

 

3.1.  Device Access

Laptops, workstations or corporate supplied devices will be configured to restrict user’s access to system software and/or ability to make configuration changes to device.

  • Operating systems changes are restricted to authorized IT Staff.
  • Application installation is restricted to IT Department 
  • External storage devices are restricted, based on security group permissions.

 

3.2.  General User Accounts

Access shall be assigned or revoked as per management direction or authorized HR notification of change in employment status.    When staff transfer into new roles, their access will be adjusted to new requirements, revoking unnecessary access.

 

3.3.  Granting and revoking access

When granting access to systems or applications, users shall only be granted permissions required to perform tasks access to MSC applications, systems and resources is authorized and granted by management.

  • Access is granted based on the employee or user’s role within the organization.
  • Each user account is required to be unique so that activity is traced to a specific user ID.
  • Contractor or third-party accounts follow a designated naming convention, so they are easily identifiable.

 

3.4. Authentication

Minimum security settings must be configured to authenticate logins from internal or remote access.

User Accounts:

User ids must be unique and linked to a specific individual; when a shared account is required, it must have oversight and have the password stored in a password management tool, which tracks who last used the generic account.

 

Login Settings – Accounts must lock out after 5 invalid attempts.

  • After lockout, reset duration is at least 30 minutes. 
  • Accounts logout after a period of inactivity and restrict concurrent logins

 

Password Settings:

Passwords are required to meet complexity, be stored encrypted and masked when entered.

  • At least 12 Characters, containing a mix of capital and lower-case letters, numbers, and special characters.
  • Last 12 passwords are prevented from being re-used.

3.5. Remote Access

  • Remote access for general users is granted via Office 365.  This software is linked to specific user accounts and requires multi-factor authentication that prevents unauthorized access.  This access is granted based on management requests.

 

4. Active Directory & Server Access

Privileged Access

Privileged Accounts which allow control over operating systems or ability to change configuration in applications or appliances need to be restricted. Ensure access is granted based on Least Privilege Principle

4.1. Domain Administrator Accounts

Domain or Enterprise Administrative group membership is restricted to authorized MSC IT Staff, and must have MD Approval for it .

4.2. Local Administrator Accounts Groups

Local administrative access is restricted on desktops and servers to groups that require elevated access in order to perform job functions.  

4.3.  Groups – Privileged Access

When groups allow user access to restricted systems or data, they must be properly authorized and validated on a periodic basis.

4.4.  Service Accounts

  • Service Accounts must have an owner identified and a description of use
  • Service Accounts with Administrative Access must have passwords reset periodically.  

4.5. Application Developers

Application Developers are hired specifically to develop MSC Applications for the the users, system configuration and support of MSC business applications and related services.  These administrators are authorized by the application owner or IT Management.

4.6. Desktop Administrators

Users that can install software or make changes to the operating system are limited to specific people that are authorized to be in the Desktop Administrators Group and Local Accounts, but it does require a MD Permission and a proper explication of the exemption

4.7.  Use of Tools and Utility Programs   

The use of utility programs that might be capable of overriding system and application controls shall be restricted and authorized by IT management. the standard software of the laptop is downloaded from the company portal app.

4.8.  System Accounts

Accounts that are part of the operating system, appliance or application, must have passwords reset upon installation and periodically, as needed. 

  • Where possible, disable or rename built-in accounts.
  • Maintain a list of system accounts and service accounts with administrative access
  • Default passwords must be changed upon installation and meet MSC standards.

4.9.  Cloud console Access

  • Access to production networks and administrative cloud portals are based on least privilege or role-based controls and limited to authorized administrators and designated IT Staff
  • Cloud console access is considered privileged and must be formally requested, including appropriate approvals, prior to granting the requested access

 

5. Roles and Responsibilities

Task

IT Ops

Human Resources

Business Manager

New User Request

 

X

X

Termination or Transfer Request

 

X

X

Approval for New or Modified Access

 

X

X

Privileged Access Approval

X

 

X

Grant or Revoke User Access

X

   

Grant or Revoke  Privileged Access

X

   

Service Account Management

X

 

X

Network Appliance Access

X

 

 

Department Change

 

X

X

 

6. Non-Compliance

Employees must adhere to the stated requirements. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.