Access Control Policy

Document Number : JSPL/ACP/2021-09

Version 3.0, Date: 20-05-2021

-Confidential-
All information contained in this document is proprietary and intended solely for use by

Jindal Steel & Power Limited Group Companies Employees,

Any unauthorized duplication or distribution is strictly prohibited.

1
 Document Control
Document Publication History

Document Prepared by Jagat Singh CHANDRAWAT - Manager

Document Reviewed by Rajesh Kumar – Head IT
Document Approved by Saurabh Ganeriwala- CDO
Document Authorized by Sudhanshu Saraf – Director Transformation
Document Owned by IT Department
Effective Date 20-May-2021
Review Frequency Two Years
Document Classification Confidential

Document Distribution List

# Name Organization Purpose

1. Director Transformation JSPL Authorize
2. CDO JSPL Approve
3. Head IT JSPL Review & Update
4. Location IT Head JSPL Enforcement
5. Group Users/Employees JSPL Information

Document Approval History

Version Date Name Role Comments
1.0 01.06.2014 Vipul Anand GCIO
2.0 01.08.2019 Rajesh Kumar Group IT Head As per Audit
Recommendation –June
2018
3.0 06.05.2021 Saurabh Ganeriwala GCDO As Per ITGC Framework

Authorized Signatory

Name Role Date Signature

Sudhanshu Saraf Director 20-May-2021
Transformation
FW FW Policies for approval and sanction.eml

2
 Table of Contents

1. OVERVIEW ..................................................................................................................................4

2. PURPOSE......................................................................................................................................4

3. SCOPE............................................................................................................................................4

4. POLICY ..........................................................................................................................................4

4.1 ACCOUNT MANAGEMENT ......................................................................................................4

4.2 ACCESS ENFORCEMENT ..........................................................................................................5

4.3 LEAST PRIVILEGE .....................................................................................................................5

4.4 UNSUCCESSFUL LOGON ATTEMPTS ...................................................................................5

4.5 SYSTEM USE INFORMATION .................................................................................................6

4.6 SESSION LOCK ............................................................................................................................6

4.7 SESSION TERMINATION .........................................................................................................6

4.8 REMOTE ACCESS .......................................................................................................................6

4.9 WIRELESS ACCESS ....................................................................................................................7

4.10 ACCESS CONTROL FOR MOBILE DEVICES .................................................................7

4.11 USE OF EXTERNAL INFORMATION SYSTEMS ..........................................................7

4.12 INFORMATION SHARING................................................................................................7

4.13 PUBLICLY ACCESSIBLE CONTENT ...............................................................................7

5. POLICY COMPLIANCE ..............................................................................................................8

3
1. Overview
The JSPL Information Security policy serves to be consistent with best practices
associated with organizational Information Security management. It is the intention of
this policy to establish an access control capability throughout JSPL to help the
organization implement security best practices with regard to logical security, account
management, and remote access.
2. Purpose
The purpose of this policy is to ensure that access controls are implemented in
compliance with Information Technology policies and procedures.
3. Scope
• This policy applies to all employees (permanent & contract employees) and non-
employees (consultants, contractors, vendors, suppliers and customers) of JSPL and its
group companies.
• Here “JSPL” is being refer for “JSPL and its group companies”.
• The policy covers all information and information processing systems owned and
managed by the IT department of JSPL.
4. Policy
This policy is applicable to all departments and employees/users of JSPL resources and
assets.
4.1 Account Management
JSPL IT Department shall:
• Identify and select the following types of information system accounts to support
organizational missions and business functions: individual, shared, group, system,
guest/anonymous and service.
• Assign account managers for information system accounts.
• Establish conditions for group and role membership.
• Specify authorized users of the information system, group and role membership, and
access authorizations (i.e., privileges) and other attributes (as required) for each
account.
• Require approvals by system owners (typically location IT HOD) for requests to create
information system accounts.
• Create, enable, modify, disable, and remove information system accounts in
accordance with approved procedures.
• Notify account managers when accounts are no longer required, when users are
terminated or transferred, and when individual information system usage or need-to-
know changes.
• Authorize access to the information system based on a valid access authorization or
intended system usage.
• Review accounts for compliance with account management requirements annually.

• Establish a process for reissuing shared/group account credentials when individuals

are removed from the group.

4
 • Ensure that the information system disables temporary and emergency accounts after
usage.
• Ensure that the information system disables inactive accounts after 30 days of
inactivity.
• Ensure that the information system audits account management activities monthly.

4.2 Access Enforcement

JSPL IT Department shall:
• Ensure that the information system enforces approved authorizations for logical
access to information and system resources in accordance with applicable access
control policy

4.3 Least Privilege

JSPL IT Department shall:
• Employ the principle of least privilege, allowing only authorized accesses for users (or
processes acting on behalf of users) which are necessary to accomplish assigned tasks
in accordance with organizational missions and business functions.
• Authorize explicitly access to hardware and software controlling access to systems and
filtering rules for routers/firewalls, configuration parameters for security services, and
access control lists.
• Recommended that users of information system accounts, or roles, with access to JSPL
defined security functions or security-relevant information, use non-privileged
accounts or roles, when accessing non-security functions.
• Restrict privileged accounts on the information system to JSPL defined personnel or
roles.
• Ensure that the information system audits the execution of privileged functions.
• Ensure that the information system prevents non-privileged users from executing
privileged functions to include disabling, circumventing, or altering implemented
security safeguards/countermeasures.

4.4 Unsuccessful Logon Attempts

IT Department shall ensure that the information system:
• Enforces a limit of 3 consecutive invalid logon attempts by a user during a logon
attempt.
• Locks the account/node automatically until released by an administrator when the
maximum number of unsuccessful attempts is exceeded.

5
4.5 System Use Information
IT Department shall ensure that the information system:
• Displays to users an approved system uses notification message or banner before
granting access to the system that provides privacy and security notices consistent
with applicable state and federal laws, directives, policies, regulations, standards, and
guidance and states informing that:
o Users are accessing a JSPL information system.
o Information system usage may be monitored, recorded, and subject to audit.
o Unauthorized use of the information system is prohibited and subject to criminal
and civil penalties.
o Use of the information system indicates consent to monitoring and recording.
o There are not rights to privacy.
• Retains the notification message or banner on the screen until users acknowledge the
usage conditions and take explicit actions to log on to or further access the
information system.

4.6 Session Lock

JSPL IT Department shall ensure that the information system:
• Prevent further access to the system by initiating a session lock after [entity defined
frequency] of inactivity or upon receiving a request from a user.
• Retain the session lock until the user reestablishes access using established
identification and authentication procedures.
• Conceal, via the session lock, information previously visible on the display with a
publicly viewable image.

4.7 Session termination

JSPL IT Department shall:
• Ensure that the information system automatically terminates a user session after 24
hours.

4.8 Remote Access

JSPL IT Department shall:
• Authorize remote access to the information system prior to allowing such
connections.
• Ensure that the information system reviews and controls remote access methods.
• Ensure that the information system implements cryptographic mechanisms to protect
the confidentiality and integrity of remote access sessions.
• Ensure that the information system routes all remote accesses through managed
network access control points to reduce the risk for external attacks.
• Authorize the execution of privileged commands and access to security-relevant
information via remote access.

6
4.9 Wireless Access
JSPL IT Department shall:
• Establish usage restrictions, configuration/connection requirements, and
implementation guidance for wireless access.
• Ensure that the information system protects wireless access to the system using
authentication of users or devices.

4.10 Access Control for Mobile Devices

JSPL IT Department shall:
• Authorize the connection of mobile devices to organizational information systems.
• It is recommended to all users using their mobile device to enable encryption to
protect the confidentiality and integrity of information.

4.11 Use of External information Systems

JSPL IT Department shall:
• Establish terms and conditions, consistent with maintaining external information
systems, allowing authorized individuals to:
o Access the information system from external information systems.
o Process, store, or transmit organization-controlled information using external
information systems.
• Permit authorized individuals to use an external information system to access the
information system or to process, store, or transmit organization-controlled
information only when the organization:

o Verifies the implementation of required security controls on the external system as

specified in the organization’s information security policy and security plan.
o Retains approved information system connection or processing agreements with
the organizational entity hosting the external information system.

4.12 Information Sharing

JSPL IT Department shall:
• Facilitate information sharing by enabling authorized users to determine whether
access authorizations assigned as expected. e.g. leveraging tools like Google Drive.
• Assist users in making information sharing/collaboration decisions.

4.13 Publicly Accessible Content

JSPL IT Department shall:
• Designate individuals authorized to post information onto a publicly accessible
information system.
• Train authorized individuals to ensure that publicly accessible information does not
contain non-public information.

7
5. Policy Compliance
• Compliance Measurement
The Information security team will verify compliance to this policy through various
methods, including but not limited to, periodic walk-through, business tool reports,
internal and external audits, and feedback to the policy owner.
• Exceptions
Any exception to the policy must be approved by the Information Security Committee
in advance.
• Non-compliance
An employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.