Skip Navigation LinksDLI > Individuals > IT Policies and Procedures > Access-Control-for-Non-Commonwealth-Users-Procedures

L&I, Office of Information Technology Procedure

(PDF)

Name: Access Control for Non-Commonwealth Users Procedures
Effective Date: November 2016
Category: Security
Version: 1.1

1. Scope:

This procedure applies to all employees, contractors, temporary personnel, members of boards, commissions and councils, agents, and vendors in the service of L&I. This procedure covers access controls and specific to all non-commonwealth employees (hereinafter “contractors”) accessing production (PROD) systems.

2. Procedure:

This procedure will be initiated by management employees and implemented by Office of Information Technology (OIT), Infrastructure and Compute Services (ICS) or Enterprise Security & Compliance Section (ESC) staff. All L&I change control procedures will be followed.

  1. Access Procedure

    Step Responsibility Action
    1. Requestor
    (Employee)
    Makes a determination of the exact level of minimum access required for the contractor, e.g. remote desktop, log viewer, power user, administrator/root.

    Makes a determination of the exact duration of access required for the contractor not to exceed 180 days
    2. Requestor
    (Employee)
    Obtains written approval to add the contractor to the environment from the Division Chief(s) who oversee(s) the application(s), hardware, or network service
    3. ServiceNow
    Submitter
    Creates a Change Request (CR) to add a contractor to a PROD environment.

    The CR, must specify the environment access requested, the name and CWOPA ID to be added, the type of access required, the date on which access must be given, the date on which access must be removed, and the date of the contractor’s last background check

    In addition, a scanned copy of the contractor’s signed “Computer Resources User Agreement - Non-Commonwealth Employees” L&I OIT-6 and “Acceptable Use Policy Agreement for System/Infrastructure/Database/Application Administrators” L&I OIT-8, both dated within one month of the request must be included as an attachment.
    4. Requestor
    (Employee)
    Prepares an Enterprise Change Advisory Board (ECAB) for approval, which includes the following information:
    • CR Number
    • Description of change (include the username, and date of the contractor’s last background check)
    • Type/level of elevated privileges required
    • Date to add contractor to system
    • Date to remove contractor from system
    5. Requestor
    (Employee)
    Sends the completed ECAB request and the written approval obtained to the ECAB resource account at ra-li-oit-enterprise@pa.gov
    6. L&I ECAB
    Coordinator
    Logs the ECAB request
    7. L&I ECAB
    Coordinator
    Emails the ECAB request to all members of the ECAB mailing list, the affected Division Chief(s), and the Chief Information Security Officer (CISO)
    8. L&I CISO/ESC Confirms:
    • Elevated privileges are not already granted by Active Directory (AD) group membership
    • The change cannot be better implemented via AD group membership.
    • The change will not elevate other AD group(s) privileges on the target or any other system(s).
    9. L&I ECAB
    Member
    (Voting)
    Sends an email to the ECAB resource account either approving or rejecting the ECAB request
    10. L&I ECAB
    Coordinator
    Notifies the ECAB mailing list, affected Division Chief(s), CISO, and requestor
    11. Requestor
    (Employee)
    Updates CR to include the approval or rejection notification received from the ECAB Coordinator
    12. Change
    Request
    Approvers
    Approves or rejects the CR according to the ECAB decision attached to the CR
    13. ICS/ECS If approved, receives the CR from and assigns the requested contractor access to the PROD environment, according to the date specified


  2. Exception to Policy Procedure

    Step Responsibility Action
    1. Requestor
    (Employee)
    Makes a determination of the exact level of access required for the contractor, e.g. remote desktop, log viewer, power user, administrator/root.

    Makes a determination of the exact duration of access required for the contractor not to exceed 180 days.
    2. Requestor
    (Employee)
    Obtains written approval to add the contractor to the environment from the Division Chief(s) who oversee(s) the application, hardware, or network service
    3. Requestor
    (Employee)
    Obtains written approval for contractor to use a service account to access PROD systems from the Chief Information Security Officer (CISO), the Chief Information Officer/Deputy Chief Information Officer (CIO/DCIO)
    4. Requestor
    (Employee)
    Follows Procedure for Access at step 3. For creating a CR through step 13.


  3. Access Removal Procedure

    Step Responsibility Action
    1. Requestor
    (Employee)
    Requests a CR to remove the contractor
    2. ServiceNow
    Submitter
    Creates CR to remove a contractor from a PROD environment.

    In the CR, specifies the environment access currently in place, the name and unique domain ID to be removed, the type of access being rescinded, the date on which access must be rescinded.
    3. CR Approvers Approves the CR
    4. ICS/ECS Removes the contractor’s access


3. References

L&I Policy Definitions Document
SEC-007 - Contractor Account Administration
SEC-010 - Access Control for Non-Commonwealth Users Policy
SEC-011 - Remote Access to the Commonwealth Network
ITP-SEC007 - Minimum Standards for IDs, Passwords, and Multi-Factor Authentication
ITP-SEC010 - Virtual Private Network Standards

4. Version Control

Version Date Purpose
1.0 01/2006 Base Document
1.1 11/2016 Merged documents, formatted, revised content