The NTA has established a robust User Management and Access Control Policy under its IT Policy, 2080. This policy aims to regulate user access to NTA’s information systems, ensuring that only authorized individuals have access to resources necessary for their roles. By following the principles of least privilege and role-based access control (RBAC), NTA minimizes risks associated with unauthorized access and potential misuse.
User Account Creation and Provisioning
The policy outlines clear procedures for the creation and provisioning of user accounts, ensuring that access is granted only to authorized individuals.
Account Creation
- User accounts are created based on job responsibilities and the principle of least privilege, ensuring that users receive only the access necessary for their roles.
- A formal process is followed, which includes verification of the individual’s identity and approval by appropriate managers or system administrators.
Account Provisioning
- Upon joining NTA, user accounts are provisioned promptly to ensure seamless integration into the organization’s systems.
- Provisioning includes assigning the appropriate access rights and permissions, tailored to the specific duties of the individual’s role.
Account Termination Procedures
To maintain security and prevent unauthorized access, the policy includes strict guidelines for terminating user accounts when they are no longer required.
Timely Deactivation
- User accounts are deactivated or removed promptly when employees, contractors, or consultants leave the organization.
- The account termination process is integrated into the off-boarding procedures to ensure that access rights are revoked immediately.
Formal Termination Process
- The termination process involves a formal procedure to document and remove access privileges, minimizing any potential risks associated with lingering accounts.
Role-Based Access Control (RBAC)
NTA employs role-based access control (RBAC) to ensure that access privileges are granted based on job responsibilities. Key aspects of RBAC include:
Access Rights by Role
- Access privileges are assigned based on the specific requirements of each role, ensuring that users have access to resources necessary for their duties without excess permissions.
Controlled Access
- RBAC prevents unauthorized access to sensitive resources and minimizes the risk of accidental or intentional misuse.
Principle of Least Privilege
The policy adheres to the principle of least privilege, granting users the minimum level of access required to perform their tasks.
Minimizing Risks
- By limiting access rights, the policy reduces the likelihood of data breaches or resource misuse.
Restricting Privileged Functions
- Non-privileged users are prevented from executing administrative functions, such as disabling or altering security safeguards.
Separation of Duties
The User Management and Access Control Policy emphasizes the importance of dividing responsibilities among individuals to prevent excessive control or unauthorized activities. The separation of duties reduces risks by ensuring that critical processes require the involvement of multiple personnel.
Division of Responsibilities
- Key tasks, such as financial transactions or data manipulation, are divided among different individuals to prevent a single person from having undue control.
Approval Mechanisms
- Sensitive actions require multiple approvals, ensuring oversight and minimizing the risk of errors or malicious behavior.
Documentation
- The IT Division documents all separations of duties to ensure transparency and traceability.
Access Monitoring and Logging
To maintain accountability and detect potential security incidents, the policy mandates regular monitoring of access to systems and sensitive data.
Logging Access Activities
- All access to systems, applications, and sensitive information is logged for security and compliance purposes.
Review of Security Logs
- The IT Division reviews security logs regularly to identify unauthorized access attempts or suspicious activities.
Incident Response
- Any irregularities or breaches detected during the review are addressed promptly to mitigate risks and ensure system integrity.
Control of Unsuccessful Login Attempts
The policy includes measures to prevent unauthorized access through repeated login attempts. These controls protect against brute-force attacks and unauthorized access attempts.
Login Attempt Limits
A predefined limit is set for consecutive invalid login attempts.
Account Suspension
- User accounts that exceed the limit are temporarily suspended until manually released by an administrator.
Administrator Privileges
- Only administrators have the authority to unlock suspended accounts, ensuring controlled and secure reactivation.
System Use Notification
To remind users of their responsibilities and the monitored nature of NTA’s systems, the policy requires the display of a system-use notification message or banner before accessing the system. The notification includes:
Access Disclaimer
- A statement indicating that users are accessing NTA’s information system and that usage may be monitored.
Privacy Waiver
- Users are informed that there are no rights to privacy while using NTA’s systems.
Legal Penalties
- Unauthorized use is highlighted as a violation subject to criminal and civil penalties.
Remote Access Controls
The policy also includes guidelines for managing remote access to NTA’s systems, ensuring secure connections and data protection.
Usage Restrictions
- Remote access is restricted to authorized individuals and specific configurations approved by the IT Division.
Cryptographic Protections
- Remote access sessions are encrypted to ensure the confidentiality and integrity of transmitted data.
Logging and Documentation
- All remote access connections are documented, including the rationale for allowing such access.
Source: Information Technology Policy of NTA, 2080 (2023)
