|
POLÍTICA DE CONTROL DE ACCESO TÉCNICO
IT-DOC-12 Versión: 2 Fecha de creación: 15/03/2021 Fecha de actualización: 11/05/2026 |
![]() |
Table of Contents
1. Scope
2. Defintions
3. Access control policy
3.1. DEVICE ACCESS
3.2. general User Accounts
3.3. Granting and revoking access
3.4. Authentication
3.5. Remote access
4. Active directory & server access
Privileged Access
4.1. Domain Administrator Accounts
4.2. Local Administrator Accounts Groups
4.3. Groups – Privileged Access
4.4. Service Accounts
4.5. APPLICATION DEVELOPERS
4.6. desktop administrators
4.7. USE OF TOOLS AND UTILITY PROGRAMS
4.8. System Accounts
4.9. cloud console Access
5. Roles and Responsibilities
6. Non-Compliance
1. Scope
The scope of this policy applies to MSC Colombia Local servers Accounts.
General Accounts
- Login Authentication Controls
- Remote Access;
- Device Access
Privileged Accounts – Domain Admins
- Service Accounts; Generic Account
- Critical Tools - Password Repository; Microsoft Information Manager
- Network Appliances and Firewalls
- Device Access
2. Defintions
- Privileged Accounts – Can alter system settings, data, user accounts or configurations
- Service Accounts – Accounts used by applications to run automated tasks
- Network Appliances – Firewall, Intrusion Detection/Prevention, and perimeter devices
3. Access control policy
This policy governs the security for user access, both regular and privileged, within the MSC Colombia environment. Segregation of Duties and "Least Privilege Principle" guidelines are considered when granting logical access, which ensures permissions are limited to essential job functions.
3.1. Device Access
Laptops, workstations or corporate supplied devices will be configured to restrict user’s access to system software and/or ability to make configuration changes to device.
- Operating systems changes are restricted to authorized IT Staff.
- Application installation is restricted to IT Department
- External storage devices are restricted, based on security group permissions.
3.2. General User Accounts
Access shall be assigned or revoked as per management direction or authorized HR notification of change in employment status. When staff transfer into new roles, their access will be adjusted to new requirements, revoking unnecessary access.
3.3. Granting and revoking access
When granting access to systems or applications, users shall only be granted permissions required to perform tasks access to MSC applications, systems and resources is authorized and granted by management.
- Access is granted based on the employee or user’s role within the organization.
- Each user account is required to be unique so that activity is traced to a specific user ID.
- Contractor or third-party accounts follow a designated naming convention, so they are easily identifiable.
3.4. Authentication
Minimum security settings must be configured to authenticate logins from internal or remote access.
User Accounts:
User ids must be unique and linked to a specific individual; when a shared account is required, it must have oversight and have the password stored in a password management tool, which tracks who last used the generic account.
Login Settings – Accounts must lock out after 5 invalid attempts.
- After lockout, reset duration is at least 30 minutes.
- Accounts logout after a period of inactivity and restrict concurrent logins
Password Settings:
Passwords are required to meet complexity, be stored encrypted and masked when entered.
- At least 12 Characters, containing a mix of capital and lower-case letters, numbers, and special characters.
- Last 12 passwords are prevented from being re-used.
3.5. Remote Access
- Remote access for general users is granted via Office 365. This software is linked to specific user accounts and requires multi-factor authentication that prevents unauthorized access. This access is granted based on management requests.
4. Active Directory & Server Access
Privileged Access
Privileged Accounts which allow control over operating systems or ability to change configuration in applications or appliances need to be restricted. Ensure access is granted based on Least Privilege Principle
4.1. Domain Administrator Accounts
Domain or Enterprise Administrative group membership is restricted to authorized MSC IT Staff, and must have MD Approval for it .
4.2. Local Administrator Accounts Groups
Local administrative access is restricted on desktops and servers to groups that require elevated access in order to perform job functions.
4.3. Groups – Privileged Access
When groups allow user access to restricted systems or data, they must be properly authorized and validated on a periodic basis.
4.4. Service Accounts
- Service Accounts must have an owner identified and a description of use
- Service Accounts with Administrative Access must have passwords reset periodically.
4.5. Application Developers
Application Developers are hired specifically to develop MSC Applications for the the users, system configuration and support of MSC business applications and related services. These administrators are authorized by the application owner or IT Management.
4.6. Desktop Administrators
Users that can install software or make changes to the operating system are limited to specific people that are authorized to be in the Desktop Administrators Group and Local Accounts, but it does require a MD Permission and a proper explication of the exemption
4.7. Use of Tools and Utility Programs
The use of utility programs that might be capable of overriding system and application controls shall be restricted and authorized by IT management. the standard software of the laptop is downloaded from the company portal app.
4.8. System Accounts
Accounts that are part of the operating system, appliance or application, must have passwords reset upon installation and periodically, as needed.
- Where possible, disable or rename built-in accounts.
- Maintain a list of system accounts and service accounts with administrative access
- Default passwords must be changed upon installation and meet MSC standards.
4.9. Cloud console Access
- Access to production networks and administrative cloud portals are based on least privilege or role-based controls and limited to authorized administrators and designated IT Staff
- Cloud console access is considered privileged and must be formally requested, including appropriate approvals, prior to granting the requested access
5. Roles and Responsibilities
|
Task |
IT Ops |
Human Resources |
Business Manager |
|
New User Request |
|
X |
X |
|
Termination or Transfer Request |
|
X |
X |
|
Approval for New or Modified Access |
|
X |
X |
|
Privileged Access Approval |
X |
X |
|
|
Grant or Revoke User Access |
X |
||
|
Grant or Revoke Privileged Access |
X |
||
|
Service Account Management |
X |
|
X |
|
Network Appliance Access |
X |
|
|
|
Department Change |
|
X |
X |
6. Non-Compliance
Employees must adhere to the stated requirements. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
