L&I, Office of Information Technology Procedure

(PDF)

1. Scope:

This procedure applies to all Employment Banking and Revenue (EBR) employees and business partners (hereinafter referred to collectively as “EBR Users”). These procedures must be followed for all access to production data, whether in the production environment, or when production data is housed in non-production environments.

2. Procedure:

The procedure is implemented by OIT-ESC Audit

1. Procedure review contractor access to PROD systems or data.
   
   

   Step	Responsibility	Action
   1.	ESC Audit	During the last week of the month, and open & sort P:\ESC\_Security Plan Management Team\Audit\Internal Audit\Contractor Server Access.xlsx by expiration date
   2.	ESC Audit	Assemble a listing of all expirations in the next month from
   3.	ESC Audit	Send to the documented division chief a notification that they will be expiring
   4.	ESC Audit	Change text to red, continue to follow up if no response is received the next month, initiate revoke procedures

   
   
   
2. Procedure to Request PROD data or system access
   
   

   Step	Responsibility	Action
   1.	Requestor	Submits CR and attaches the “Contractor Production Access - ESC Revision 072017.doc”
   2.	Requestor	Sends PATCH data to LI-OIT-Contractor Requests/LI-OIT-Security Evidence that the contractor has signed the OIT-6 & OIT-8, either scanned copy or electronic agreement.
   3.	ESC Audit	Reviews CR, and attachments. Verifies OIT-6/8 signatures, PATCH validity, updates CR Note: If the PATCH cannot be validated the CR will not be approved or processed.
   4.	Requestor	Submits ECAB attaching the “Contractor Production Access - ESC Revision 072017.doc”. The CR will reflect the approval of Security for PATCH, OIT-6/8 review. CR must include: Implementation Date: xx/xx/20xx (for xx days) Expiration Date: xx/xx/20xx Date Last OIT-6 Signed: xx/xx/20xx Date Last OIT-8: Signed xx/xx/20xx Date PATCH Renewal: xx/xx/20xx Control #: Rxxxxxxxx Full Name Used
   5.	User Account Management	Processes CR after ECAB approval. Note: User-Account management will not proceed without approval information.

   
   
   
3. Procedure to Renew PROD data or system access
   
   

   Step	Responsibility	Action
   1.	Requestor	Submits CR attaching “Contractor Production Access - ESC Revision 072017.doc”, and PATCH information (full name used in PATCH, date of PATCH, control number)
   2.	ESC Audit	Reviews CR, and attachments. Verifies OIT-6/8 signatures, PATCH validity, updates CR Note: If the PATCH cannot be validated the CR will not be approved or processed. Note: If the OIT-6 & OIT-8 signatures cannot be found the CR will not be approved or processed.
   3.	Requestor	Submits ECAB attaching the “Contractor Production Access - ESC Revision 072017.doc”. The CR will reflect the approval of Security for PATCH, OIT-6/8 review. CR must include: Implementation Date: xx/xx/20xx (for xx days) Expiration Date: xx/xx/20xx Date Last OIT-6 Signed: xx/xx/20xx Date Last OIT-8: Signed xx/xx/20xx Date PATCH Renewal: xx/xx/20xx Control #: Rxxxxxxxx Full Name Used   Note: If the PATCH expiration is less than the 6-month window, the requestor has a few options: Let access expire waiting until a new PATCH is obtained Limit the access through the PATCH expiration Submit a new PATCH
   4.	User Account Management	Processes CR after ECAB approval Note: User-Account management will not proceed without approval information.

   
   
   
4. Procedure to Revoke PROD data or system access
   
   

   Step	Responsibility	Action
   1.	Requestor	Submits CR referencing the access CR/ECAB OR
   2.	ESC Audit	Follows procedure review contractor access to PROD systems or data
   3.	ESC Audit	After 10 days with no reply, submits CR referencing the access CR/ECAB assigns to User Account Management
   4.	User Account Management	Processes CR

   
   
   

3. References

4. Version Control