Network Security and Acceptable Use Policy

Effective Date: 01 Sep 2025

The Access Control Policy defines the controls that must be implemented and maintained in order to protect information assets against unauthorized access that might pose substantial risk to the organization. The policy intends to establish adequate controls for user-access management, network access, operating system, and database and application access within Manodayam. (Here it is referred to as “Manodayam”). This policy shall also be applicable to third-party Service Providers which have such accesses or can provide such access rights to other users.

Purpose

This policy establishes the Access Control Policy, for managing risks from user account management, access enforcement and monitoring, separation of duties, and remote access through the establishment of an Access Control program. The access control program helps Manodayam implement security best practices with regard to logical security, account management, and remote access.

Responsibility

It is the responsibility of the Functional SPOCs/HODs (Department wise) to implement and enforce the controls defined within the Access Control Policy. It is the responsibility of the Chief Information Security Officer (CTO) to monitor critical Access Rights of important business applications.

Definitions

Information System – A combination of hardware, software, infrastructure, and trained personnel organized to facilitate planning, control, coordination, and decision-making in an organization.

Information systems in this policy shall refer to Business applications, Support applications, Operating Systems, Databases and Network Infrastructure.

Objective

Access to the information systems shall be controlled, based on business and security requirements and should be commensurate with the asset classification. Access controls shall be deployed based on the principle of “need-to-have” in order to protect the information from unauthorized access.

User Access Management

The allocation of access rights to information systems and services shall be done in accordance with the requirement given by the supervisor and approved by the HOD. The policy encompasses all stages in the lifecycle of user access.

• Initial registration of users.
• Transfer of users to other departments/projects/ profiles; and
• De-registration of users.

User Registration

“User” registration for employees shall be done according to authorization by HR (for email access & user ID creation) and by respective HOD (for applications). The following shall be ensured:

  1. A unique user ID for all users having access to the applications and databases.
  2. Approval is obtained from HODs, prior to granting Users access to Information systems.
  3. Any access to applications and databases using group user IDs shall be restricted. Any access shall be provided only on a case-by-case basis after approval from respective HODs.
  4. Review of user access rights shall be done once in every twelve months for identifying and removing redundant or user IDs.
  5. Ensure that the redundant user IDs are not issued.

De-registration

“User” de-registration for employees shall be done according to authorization by HR (for email access & user Id) or by respective HOD (for business applications). Following shall be ensured:

  1. Access of user accounts is either revoked or re-allocated appropriately upon inter- departmental transfers/ change of profiles.
  2. Immediately disable or remove user IDs of users who have left the organization. This includes, but is not limited to the following:
    1. Database
    2. Workstation Access
    3. E-mail access
    4. Remote access to network
    5. VPN client access
    6. Any other access to network or programs
    7. Review of user access rights once in every twelve months for identifying and removing or disabling redundant user IDs

Privilege Access Rights Management

Assignment of privileged access to user accounts / IDs on the Information systems shall be controlled through a formal authorization process. The privilege rights for IT infrastructure management shall be based on a need-to-know basis and approved from CTO. The access shall be revoked post-completion of activities. CTO shall review list of privileged user access every six months. The following shall be considered:

  1. The privileged access rights associated with each system or process, e.g., operating system, database management system and each application and the users to whom they need to be allocated should be identified.
  2. Privileged access rights should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy i.e. based on the minimum requirement for their functional roles.
  3. An authorization process and a record of all privileges allocated should be maintained. Privileged access rights should not be granted until the authorization process is complete.
  4. Requirements for the expiry of privileged access rights should be defined.
  5. Privileged access rights should be assigned to a user ID different from those used for regular business activities. Regular business activities should not be performed from privileged ID
  6. For generic administration user IDs, the confidentiality of secret authentication information should be maintained when shared.

Password Management

  1. Passwords are strings of characters that are input into a system to authenticate an identity and/or authority and/or access rights.
  2. Password will be masked.
  3. Passwords shall be stored and communicated in a protected form.
  4. All system-level passwords (Administrator, etc.) shall be changed on six monthly basis.
  5. All user-level passwords (e.g., email, web, desktop computer, etc.) shall be changed every six months.
  6. Passwords shall have the following characteristics.
    1. Length of Password shall be between eight and fifteen alphanumeric characters
    2. Password shall contain at least one uppercase, one lowercase character and one number.
    3. Password shall also contain at least one of the special characters such as @#$%^&*()_+|~-=\`{}[]:”;’<> / etc.
    4. Passwords shall not be a word in any language, slang, dialect, jargon, etc.
    5. Passwords shall not be based on any personal information such as names of family, computer terms, names, commands, sites, companies etc.
  7. Passwords shall not be shared with anyone, including administrative assistants or secretaries. All passwords shall be treated as sensitive, confidential information.
  8. Passwords shall never be written down or stored online without encryption.
  9. Passwords shall not be revealed in email, chat, or other electronic communication.
  10. Passwords shall not be spoken in front of others.
  11. The System should force the user to change the temporary password assigned to them at the first log-on.
  12. Change of the Password shall be allowed only after logging in to the system with the existing password.
  13. The new password should not be one from the last 2 passwords.
  14. The Account should be locked out for 30 minutes after 3 unsuccessful attempts.
  15. The locked-out Account is reset after 30 minutes.
  16. Default passwords for applications and devices shall be changed after installation.

Management of Secret Authentication information of users

Secret authentication information such as passwords, cryptographic keys, smart cards etc. is a common means of verifying user identity. The process should include the following:

  1. Users should keep the person’s secret authentication information confidential.
  2. Default/ initially allocated secret authentication information should be changed prior to first use.
  3. Users identity should be verified, and approval received from appropriate authority.
  4. Temporary secret authentication information should be given to users in a secure manner; the use of external parties or unprotected (clear text) electronic mail messages should be avoided.
  5. Temporary secret authentication information should be unique to an individual and should not be guessable.
  6. Users should acknowledge receipt of secret authentication information.

Review of User Access Rights

The review of user access rights shall take into consideration the following:-

  1. User Accounts and corresponding access rights are reviewed once in every six months for users having access to systems/ applications.
  2. Authorizations for special privileged access rights are reviewed once in every quarter and revoked as applicable.
  3. There is a process for identifying and removing/disabling duplicate or redundant user id.
  4. User access rights should be reviewed and re-allocated when moving from one role to another within the same organization.
  5. Changes to privileged accounts should be logged for quarterly review.
  6. Access rights to shared folder shall be reviewed once in every 6 months by CTO.

Removal or adjustment of access rights

All access rights to employees and Third-Party Service Provider staff shall be removed upon termination of their employment, contract, or adjusted upon change or in any other event of their separation from Manodayam.

User Responsibilities for Access Management

All employees and Third-Party Service Provider staff with access to information systems are required to understand their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment. They shall follow Manodayam’s policies in the use of secret authentication information.

Clear Desk and Clear Screen

Automatic account lockout for 15 minutes will be implemented to lock the screen of the information systems when left unattended. It is the responsibility of all employees and Third Party to lock their screens when they leave it unattended.

Password Use

Manodayam Employees are required to:-

  1. Keep their passwords confidential and refrain from sharing them with others, and
  2. Change their passwords whenever there is any indication of a possible compromise of the system or password.
  3. If temporary, then change on first log-on.
  4. Avoid keeping a record.
  5. Not to use same secret authentication information for business and non-business purposes.

Unattended User Equipment

All employees with access to information assets shall be made aware of the information security requirements and procedures for protecting unattended equipment. The users are required to do the following:-

  1. Log out from the information systems upon completion of the user activity.
  2. Secure the equipment in order to prevent theft.

Network Access Control

Appropriate controls for user access to networks and network services shall be applied. The controls shall ensure that:-

  1. The networks and network services which are allowed to be accessed request to access to Network shall be approved by the Supervisor.
  2. Management controls to protect access to network connections and network services.
  3. The means used to access networks and network services (e.g. use of VPN or wireless network.
  4. User authentication requirements for accessing various network services.
  5. Monitoring of the use of network services.
  6. Business applications are accessible on the network only through the approved network services.
  7. The network services which are required for business purposes are identified, documented, and approved by HOD of the user. All unnecessary network services are identified and disabled.
  8. In the case of Visitors, no network access shall be provided post-approval and segregation of the network from the Corporate Network.
  9. Third-party staff should be given access post approval from CISO.

Remote Access

Adequate security controls shall be implemented to authenticate the user for remote access. IT department shall manage remote access connections and ensure that:-

  1. Persons Affected: – employees, consultants, vendors, contractors, and others who use mobile computing and storage devices on the network.
  2. General Standards: -It is the responsibility of employees, contractors, vendors and agents with remote access privileges to corporate networks to ensure that their remote access connection is given the same consideration as the user’s on-site connection to.

Requirements

  • Remote access connections to the Manodayam’s network are provided to authorized users only, and appropriate controls are implemented and enforced to maintain the confidentiality, integrity and availability of information.
  • An updated list of all such users is maintained.
  • Remote access to Manodayam’s network is allowed through secure channels only.
  • Remote access is allowed through pre-approved accounts only, and
  • Only approved remote control software is used in the network for remote connections.
  • Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass phrases.
  • At no time should any employee provide their login or e-mail password to anyone, not even family members.
  • Employees and contractors with remote access privileges must ensure that their -owned or personal computer or workstation, which is remotely connected to a corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
  • Employees and contractors with remote access privileges to corporate networks must not use non-e-mail accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct business, thereby ensuring that official business is never confused with personal business.
  • Routers configured for access to the network must meet minimum authentication requirements.
  • Reconfiguration of a home user’s equipment for the purpose of split-tunnelling or dual-homing is not permitted at any time.
  • Non-standard hardware configurations must be approved by the IT department and must approve security configurations for access to hardware.
  • All PCs, laptops and workstations that are connected to internal networks via remote access technologies must use the most up-to-date anti-virus software (place URL to corporate software site here), this includes personal computers.
  • Individuals who wish to implement non-standard Remote Access solutions to the production network must obtain prior approval from the IT department.

Equipment Identification in Network

  • Authentication and Encryption is required for wireless connections utilizing industry best practices.
  • Allowed Authentication Schemes are: WPA2-PEAP or WPA2-EAP-TLS or any latest scheme.
  • Authentication must be machine authentication (not user authentication)
  • Workgroup, point-to-point, and ad hoc networks are not permitted.
  • Employ inconspicuous SSID and AP names.
  • Wi-Fi Access-Points (WAPs) shall only be installed in space owned, rented, or leased by Manodayam.
  • Wi-Fi Maps shall be accurately maintained which depict access point locations and limits of Manodayam occupied space.

Network Routing

Internet site and file filtering must be enabled to block access to Internet sites and files deemed inappropriate or potentially dangerous for business use.

Internal access to the Internet is to be routed through Internet access servers (proxy servers) or network firewalls with filtering technology enabled.

Access between domains can be allowed but should be controlled at the perimeter using a gateway e.g. a firewall or filtering router

Any changes to the Firewall rules, or other network device configuration should be logged. It should follow a change management process.

Operating System Access Control

Adequate security controls shall be implemented on the information systems to restrict operating systems access to authorized users only. The controls shall authenticate the authorized users and record the successful and failed system authentication attempts.

Secure log-on procedure

The operating systems of servers, workstations and/ or network devices shall be controlled through a secure log-on procedure to minimize the risk of unauthorized access. The log-on procedure shall not disclose any system information. Log-on procedure shall: Ensure that previous logged-on user information shall not be displayed in the login console/window.

Validate the log-on information on completion of all input data. If an error condition arises, the system should not display an error message which leaks the internal configurations of the information systems.

Limit the number of unsuccessful log-on attempts to 3 and Ensure automatic terminal lockout after a specified duration of 15 min. An exception to this would be terminals which are under continuous monitoring.

Not display system or application identifiers until the log-on process has been successfully completed.

Display a general notice warning that the computer should only be accessed by authorised users.

Not provide help messages during the log-on procedure that would aid an unauthorized user.

Validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect.

Protect against brute force log-on attempts.

Log unsuccessful and successful attempts.

Raise a security event if a potential attempted or successful breach of log-on controls is detected. 

Display the following information on completion of a successful log-on:

Not display a password being entered; not transmit passwords in clear text over a network.

Terminate inactive sessions after a defined period of inactivity, especially in high-risk locations such as public or external areas outside the organization’s security management or on mobile devices.

Restrict connection times to provide additional security for high-risk applications and reduce the window of opportunity for unauthorized access.

User Identification and Authentication

Refer to section “User Access Management” of this policy for User Identity management.

Appropriate authentication mechanisms shall be implemented for all systems based on identified security needs.

Use of privileged system Utilities

Use of utility programs that could override the system and application controls shall be restricted and tightly controlled and only authorized utilities shall be used for remote management (of the servers, workstations, and network devices). Activities carried out by using such utilities are logged. The following shall be considered:

  • Use of identification, authentication, and authorization procedures for utility programs.
  • Segregation of utility programs from applications software.
  • Limitation of the use of utility programs to the minimum practical number of trusted, authorized user.
  • Authorization for ad hoc use of utility programs.
  • Limitation of the availability of utility programs.
  • Logging of all use of utility programs.
  • Defining and documenting of authorization levels for utility programs.
  • Removal or disabling of all unnecessary utility programs.
  • Not making utility programs available to users who have access to applications on systems where segregation of duties is required.

Session Time-out

Information systems and applications that are accessed from external networks and the Internet shall be equipped with session time-out controls to clear the session screen and terminate the application sessions after a specified duration of inactivity.

System and Application Access Control

Access to information and application systems shall be restricted to authorized users only as per the policy. The appropriate security controls shall be used to restrict access to information systems.

Access to systems and applications shall be controlled by secure log-on procedures.

Password management procedure shall be implemented to ensure quality passwords.

Use of utility programs capable of overriding system and applications controls shall be restricted and tightly controlled.

Access to program code shall be restricted through following means.

Access to source code should be restricted to authorized users only.

Updating of source code should be performed after receipt of proper approvals.

An audit log of all activities for source codes should be maintained.

Copying of program codes should be subject to change control procedure.

Developer shall not have access to production environment and segregation of duties shall be implemented as appropriate.