Page 18 - Information_Security_Program
P. 18

ACCESS CONTROL [DP241]
        Back to Table of Contents

        Scope: Enterprise
        Distribution: All employees
        Purpose: To limit access to information to authorized individuals.
        External Regulation or Standard: 45 CFR 164.308(a)(3)(ii)(B) ‐ Workforce Security; 45 CFR 164.312(a)(2)(ii) ‐ Access Control; PCI DSS
        7.1

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Directors and           DP241.1     User access to payment card (credit or debit card) information is granted with the
         Managers to request,                least amount of privileges necessary to perform the individual’s job responsibilities
         with Chief Officer or
         Director of Information
         Technology, Privacy
         and Data Security
         approval and IT Staff
         Directors and           DP241.2     User access to payment card information is based on the individual’s job
         Managers to request,                classification and function.
         with Chief Officer or
         Director of Information
         Technology, Privacy
         and Data Security
         approval and IT Staff
         Directors and           DP241.3     Recorded authorization is required using the IT Employee Access Form prior to
         Managers to request,                granting a user access to Business Confidential or Privacy Restricted information. The
         with Chief Officer or               appropriate Chief Officer or Director of Information Technology, Privacy and Data
         Director of Information             Security must approve access prior to the change.
         Technology, Privacy
         and Data Security
         approval and IT Staff
         t d
         Directors, Managers     DP241.4     Supervisors must promptly notify their area Chief Officer and/or Director of
         and/or Supervisors to               Information Technology, Privacy and Data Security using the IT Employee Access
         notify Chief Officer and            Form of any changes in an individual's job that would decrease that individual's
         Director of Information             access to confidential or privacy‐restricted information systems.
         Technology, Privacy
         and Data Security

         Directors, Managers     DP241.5     The IT Staff will alter the access privileges of an individual within 1 business day of
         and Supervisors to                  receiving a termination request or request to limit access using the IT Employee
         request, Chief Officer s            Access Form, or on the effective date of the request if indicated. Requests to expand
         or Director of                      access privileges will be handled as soon as possible.
         Information
         Technology, Privacy
         and Data Security to
                  d IT St ff t
         Employees               DP241.6     Employees who are asked by others for access to Business Confidential or Privacy‐
                                             Restricted information under their control must ask the requestor the reason for the
                                             access, be satisfied the reason meets the requirements of the organization’s privacy
                                             policies, and then grant access only to that information that is necessary to fulfill the
                                             request.
         Employees               DP241.7     Employees who are asked by others for access to Privacy Restricted information
                                             must adhere to DP‐170 ‐ DISCLOSURE TO THIRD PARTIES.



                                                                                                         15 | Page
        GES CONFIDENTIAL
   13   14   15   16   17   18   19   20   21   22   23