Effective: April 1, 2000
Responsibility: Vice-President and Chief Financial Officer
The purpose of this policy is to establish:
- Guidelines for granting, modifying, and disabling user access to the SAP system;
- Guidelines for performing annual user access reviews; and
- The roles and responsibilities of those involved in the access management process.
This policy applies to the SAP production environment system access security and its use at CBC/Radio-Canada. It does not include other supporting systems, such as OnAir, Business Warehouse or Cognos.
STATEMENT OF POLICY
Access to data and information systems is granted to users based on their job function and operational business requirements.
New user access or changes to user access is requested by authorized personnel and reviewed, approved and granted by the Delegated Security Officer (DSO).
Before granting or changing user access, the DSO will ensure that adequate segregation of incompatible duties is achieved and that the user access is consistent with their delegation of financial and signing authorities (DFA/DSA) and/or responsibilities.
An adequate level of security (password and access management) is exercised and maintained that is consistent with general IT security policies and existing HR Identity Management (IDM) processes.
Reviews of system access are to be performed annually by the DSO to verify that users have appropriate system access.
User access must be promptly removed or appropriately modified upon termination or a job role change.
User access requests or changes are processed in a timely manner.
User access requests will be consistent with the limits and terms of the applicable software licensing agreement(s) and be monitored by the DSO using SAP reports.
- This policy was updated December 15, 2012.
- This policy was updated November 2003.
- This was formerly Corporate Guidelines and Procedures, 102.10–A - Access to the Management System.
- Policy 2.5.1: Corporate Information Technology (IT) Security and Employee Use of IT Assets
- Policy 2.3.8: Delegation of Financial Authorities
- Policy 2.9.03: Delegation of Signing Authority
PERSON RESPONSIBLE FOR INTERPRETATION AND APPLICATION
All questions pertaining to the interpretation or application of this policy should be referred to the Director, Policy and Internal Control.
The responsibility for interpretation of this policy ultimately resides with the Senior Director and Corporate Controller.
DEPARTMENT RESPONSIBLE FOR UPDATING THIS WEBPAGE
PROCEDURES AND GUIDELINES
SYSTEM ACCESS REQUEST PROCEDURE:
All requests for access to the SAP system must adhere to the following:
- Requests for access to the SAP system must be submitted by each individual’s supervisor to the Information Technology Service Centre (ITSC) who in turn will log a request in the Remedy system to the Delegated Security Officer (DSO) who is part of the Financial Systems group.
- The DSO will address any potential issues and access requirements with individuals, as deemed appropriate, which may include the requestor’s supervisor.
- If the request is approved, the DSO will:
- Assign the user the appropriate role(s)
- Confirm the access with the individual and the supervisor
- The request to ITSC and the confirmation of the access must be done by email for tracking and auditing purposes.
ROLES AND RESPONSIBILITIES
- Applicants who are granted access to the SAP systems must abide by all Corporate Policies, Procedures and Guidelines.
- Users are responsible and accountable for ensuring that no other individual has access to the system through their unique user account. The ultimate responsibility and accountability is with the individual whose name is associated with the user account.
- User passwords should be changed on a periodic basis, when there is a suspicion that security may have been breached or when prompted to change after 90 days.
- Each supervisor must critically assess and justify the need for specific and additional access to current and future applicants.
- Immediate supervisors must notify ITSC, who will notify the DSO via Remedy, immediately of any transfer or termination of employment of individuals having a user account. Should the immediate supervisor fail to do so, he/she will be ultimately responsible and accountable for any breach of security issues which may arise.
- Human Resources at Shared Services will advise Local Finance and Administration of any termination of employment of employees, who in turn will ensure that the DSO is notified in order to cancel the user accounts.
- A designated person in HR Technology group will be responsible to approve any access request related to SAP HR modules.
DELEGATED SECURITY OFFICER
The DSO has the responsibility to ensure the integrity, consistency and uniformity of the conceptual design of roles and to maintain proper documentation regarding user access provisioning.
- The DSO has the right to refuse an application
- The DSO is responsible for the following:
- To ensure that any changes to an individual’s role adhere to policies, procedures and guidelines and to consult with and obtain approval from Senior Financial Officers as required.
- To perform a periodic documented review of the user list and their security access to ensure consistency with the objectives of this policy. This review should be performed at least once per year.
- To determine the appropriate role for each approved user.
- To adjust user roles as required due to changes in user status or job description, either via a supervisor’s notification or the email received via the Identity Management system;
- For the timely removal/cancellation of access privileges because of individual transfers and departures from the Corporation
- To change passwords in accordance with established standards
- To manage and control the number of active licenses and ensure compliance with the terms of the software licensing agreement(s); and
- To monitor the logs of critical events defined by management.
- Requests for a policy exception must have a valid business justification. The exception must be documented and approved by the DSO.
- The DSO maintains the right to deny any exception to this policy.