L&I, Office of Information Technology Procedure
(PDF)
Name: |
Contractor PROD Access & Tracking Procedure |
Effective Date: |
September 2018 |
Category: |
Security |
Version: |
1.2 |
1. Scope:
This procedure applies to all Employment Banking and Revenue (EBR) employees and business partners (hereinafter referred to collectively as “EBR Users”). These procedures must be followed for all access to production data, whether in the production environment, or when production data is housed in non-production environments.
2. Procedure:
The procedure is implemented by OIT-ESC Audit
- Procedure review contractor access to PROD systems or data.
Step |
Responsibility |
Action |
1. |
ESC Audit |
During the last week of the month, and open & sort P:\ESC\_Security Plan Management Team\Audit\Internal Audit\Contractor Server Access.xlsx by expiration date |
2. |
ESC Audit |
Assemble a listing of all expirations in the next month from |
3. |
ESC Audit |
Send to the documented division chief a notification that they will be expiring |
4. |
ESC Audit |
Change text to red, continue to follow up if no response is received the next month, initiate revoke procedures |
- Procedure to Request PROD data or system access
Step |
Responsibility |
Action |
1. |
Requestor |
Submits CR and attaches the “Contractor Production Access - ESC Revision 072017.doc” |
2. |
Requestor |
Sends PATCH data to LI-OIT-Contractor Requests/LI-OIT-Security
Evidence that the contractor has signed the OIT-6 & OIT-8, either scanned copy or electronic agreement. |
3. |
ESC Audit |
Reviews CR, and attachments. Verifies OIT-6/8 signatures, PATCH validity, updates CR
Note: If the PATCH cannot be validated the CR will not be approved or processed. |
4. |
Requestor |
Submits ECAB attaching the “Contractor Production Access - ESC Revision 072017.doc”. The CR will reflect the approval of Security for PATCH, OIT-6/8 review. CR must include:
Implementation Date: |
xx/xx/20xx
(for xx days) |
Expiration Date: |
xx/xx/20xx |
Date Last OIT-6 Signed: |
xx/xx/20xx |
Date Last OIT-8: Signed |
xx/xx/20xx |
Date PATCH Renewal: |
xx/xx/20xx |
Control #: |
Rxxxxxxxx |
Full Name Used |
|
|
5. |
User Account Management |
Processes CR after ECAB approval.
Note: User-Account management will not proceed without approval information. |
- Procedure to Renew PROD data or system access
Step |
Responsibility |
Action |
1. |
Requestor |
Submits CR attaching “Contractor Production Access - ESC Revision 072017.doc”, and PATCH information (full name used in PATCH, date of PATCH, control number) |
2. |
ESC Audit |
Reviews CR, and attachments. Verifies OIT-6/8 signatures, PATCH validity, updates CR
Note: If the PATCH cannot be validated the CR will not be approved or processed.
Note: If the OIT-6 & OIT-8 signatures cannot be found the CR will not be approved or processed.
|
3. |
Requestor |
Submits ECAB attaching the “Contractor Production Access - ESC Revision 072017.doc”. The CR will reflect the approval of Security for PATCH, OIT-6/8 review. CR must include:
Implementation Date: |
xx/xx/20xx
(for xx days) |
Expiration Date: |
xx/xx/20xx |
Date Last OIT-6 Signed: |
xx/xx/20xx |
Date Last OIT-8: Signed |
xx/xx/20xx |
Date PATCH Renewal: |
xx/xx/20xx |
Control #: |
Rxxxxxxxx |
Full Name Used |
|
Note: If the PATCH expiration is less than the 6-month window, the requestor has a few options:
-
Let access expire waiting until a new PATCH is obtained
-
Limit the access through the PATCH expiration
-
Submit a new PATCH
|
4. |
User Account Management |
Processes CR after ECAB approval
Note: User-Account management will not proceed without approval information.
|
- Procedure to Revoke PROD data or system access
Step |
Responsibility |
Action |
1. |
Requestor |
Submits CR referencing the access CR/ECAB
OR
|
2. |
ESC Audit |
Follows procedure review contractor access to PROD systems or data |
3. |
ESC Audit |
After 10 days with no reply, submits CR referencing the access CR/ECAB assigns to User Account Management
|
4. |
User Account Management |
Processes CR |
3. References
4. Version Control
Version |
Date |
Purpose |
1.0 |
01/2006 |
Base Document |
1.1 |
11/2016 |
Merged documents, formatted, revised content |
1.2 |
09/2018 |
Updates to procedures |