User Account Management Policy Example based on IGA

1. Purpose

This policy outlines the procedures for creating, maintaining, and deactivating user accounts at Financial Secure Inc. It ensures that user access to systems and data is managed securely and efficiently, protecting sensitive information and complying with regulatory requirements.

2. Scope

This policy applies to all employees, contractors, partners, and any other individuals who require access to Financial Secure Inc.’s systems and data.

3. Definitions

• User Account: A unique identifier assigned to an individual to access Financial Secure Inc.’s systems and data.
• Access Request: A formal request for access to specific systems or data.
• Role-Based Access Control (RBAC): A method of regulating access based on the roles assigned to users.
• Access Certification: A periodic review of user access rights to ensure they remain appropriate.

4. Account Creation

Policy

• User accounts will be created upon hiring a new employee or when a contractor or partner requires access.
• Each user must have a unique identifier (username) and a strong password that complies with the company’s password policy.

Procedure

1. The hiring manager submits an access request form to the IT department, including the employee’s role and required system access.
2. The IT department reviews the request, verifies the details, and creates the user account in the relevant systems (e.g., email, financial software, HR system).
3. An automated email is sent to the new employee with their login credentials and instructions on how to change their initial password.

Example

• User: Tri Doni
• Role: Financial Analyst
• Access Required: Email, Financial Reporting System, Document Management System
• Username: tdoni
• Initial Password: Randomly generated and sent via secure email

5. Access Requests and Approvals

Policy

• All access requests must be approved by the employee’s direct manager and, if applicable, the system owner.

Procedure

1. Employees submit access requests through the company’s IGA portal.
2. The request is automatically forwarded to the direct manager for approval.
3. Once the manager approves, the request is sent to the system owner for final approval.
4. Upon final approval, the IT department grants the requested access and updates the employee’s account.

Example

• Requester: Tri Doni
• Requested Access: Access to the Trading System
• Manager Approval: Juli Sulistio (Manager)
• System Owner Approval: Michael Jatmiko (Head of Trading)
• IT Department Action: Granted access and updated John’s account

6. Maintaining User Accounts

Policy

• User accounts must be maintained to ensure they reflect current roles and responsibilities.
• Passwords must be changed every 90 days, and accounts must be locked after three unsuccessful login attempts.

Procedure

1. The IT department monitors accounts for compliance with the password policy.
2. Automated reminders are sent to users to change their passwords before the expiration date.
3. Accounts are locked after three unsuccessful login attempts, and users must contact the help desk to unlock their accounts.

Example

• User: John Doe
• Password Change Reminder: Sent on the 85th day
• Account Lockout: Triggered after three failed attempts, requiring help desk intervention

7. Periodic Access Reviews

Policy

• Access reviews must be conducted quarterly to ensure that employees have appropriate access rights.

Procedure

1. The IT department generates a report of all user access rights and sends it to the respective managers for review.
2. Managers review the access rights of their team members and certify whether the access is still required.
3. Any access deemed unnecessary is revoked by the IT department.

Example

• Review Period: Q1 2024
• Manager: Juli Sulistio
• Action: Reviewed and certified access for Tri Doni, revoked access to the Document Management System for an employee who no longer needs it

8. Termination of Access

Policy

• User accounts must be deactivated immediately upon termination of employment or end of a contract.

Procedure

1. The HR department notifies the IT department of the employee’s termination date.
2. The IT department disables the user account on the termination date and revokes all access rights.
3. An exit checklist is completed to ensure all company assets are returned.

Example

• Terminated Employee: Tri Doni
• Termination Date: March 31, 2024
• IT Department Action: Disabled Triaccount and revoked access on March 31, 2024
• Exit Checklist: Completed and all assets returned

9. Audit and Reporting

Policy

• Regular audits of user accounts and access rights will be conducted to ensure compliance with this policy.
• Reports on user access and account activity will be generated and reviewed by the IT department and senior management.

Procedure

1. The IT department conducts quarterly audits of user accounts and access rights.
2. Audit reports are reviewed by senior management to ensure compliance with internal policies and regulatory requirements.
3. Any discrepancies or issues identified during the audit are addressed promptly.

10. Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract.

11. Review and Revision

This policy will be reviewed annually and updated as necessary to ensure it remains effective and compliant with regulatory requirements.

Approval

• Approved by: [Name, Title]
• Date: [Approval Date]