User Access Management. OneStream will:
(i) Employ formal procedures for granting and revoking access to OneStream’s systems used to provide the Services;
(ii) Employ a formal password management process in accordance with industry standards; and
(iii) Perform recurring reviews of users’ access rights.
User Access Management. To protect against unauthorized access or misuse of Confidential Information residing on Supplier Information Processing Systems, Supplier will:
(a) Employ a formal user registration and de-registration procedure for granting and revoking access and access rights to all Supplier Information Processing Systems;
(b) Employ a formal password management process; and
(c) Perform recurring reviews of users’ access and access rights to ensure that they are appropriate for the users’ role.
User Access Management. Matterport will maintain logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur). • Password Management. Matterport will maintain password controls designed to manage and control password strength, expiration, and usage including prohibiting users from sharing passwords. Matterport shall ensure password hardening standards are in place that align with accepted industry security frameworks to ensure sufficient controls. • Workstation Protection. Matterport will implement protections on end-user devices and monitor those devices to be in compliance with the security standard requiring screen lock timeout, malware software, firewall software, remote administration, unauthenticated file sharing, hard disk encryption and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations. Matterport will securely sanitize physical media intended for reuse prior to such reuse and will destroy physical media not intended for reuse. • Media Handling. Matterport will implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures will be implemented for mobile computing devices to protect personal data.
User Access Management. The Supplier has a duty to limit access to personal data on a "need to know" basis. The Supplier is required to assess the nature of access allowed to an individual user. The Supplier agrees that individual staff members shall only have access to data which they require in order to perform their duties, prevent use of shared credentials (multiple individuals using a single username and password) and detect use of default passwords. Accesscontrol must be supported by regular reviews to ensure that all authorized access to personal data is strictlynecessary and justifiable for the performance of a function. The Supplier has policies in place regarding vetting and oversight of the staff members allocated these accounts. A staff member with similar responsibilities should have separate user and administrator accounts. Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data. The Supplier agrees to have strict controls on the ability to download personal data from an organization’s systems. The Supplier agrees to block such downloading by technical means (disabling drives, isolating network areas or segments, etc.). User registration and deregistration A formal process should exist to management the assignment, adjustment, and revoking of access rights, considering scenarios such as starters/leavers as well as changing of jobs internally within the organization ISO 27001 A.9.2.1 ISO 27001 A.9.2.2 ISO 27001 A.9.
User Access Management. To protect against unauthorized access or misuse of Recipient Confidential Information residing on Provider Information Processing Systems, Provider will:
9.1.1 Employ a formal user registration and de-registration procedure for granting and revoking access and access rights to all Provider Information Processing Systems.
9.1.2 Employ a formal password management process.
9.1.3 Where appropriate perform recurring reviews of users’ access and access rights to ensure that they are appropriate for the users’ role.
User Access Management. Access to Company is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager. • Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out. • There is a standard level of access; other services can be accessed when specifically authorized by HR/line management. • The job function of the user decides the level of access the employee has to cardholder data • A request for service must be made in writing (email or hard copy) by the newcomer’s line manager or by HR. The request is free format, but must state: Name of person making request; Job title of the newcomers and workgroup; Start date; Services required (default services are: MS Outlook, MS Office and Internet access). • Each user will be given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure. The user signs the form indicating that they understand the conditions of access. • Access to all the Company systems is provided by IT and can only be started after proper procedures are completed. • As soon as an individual leaves the Company employment, all his/her system logons must be immediately revoked. • As part of the employee termination process HR (or line managers in the case of contractors) will inform IT operations of all leavers and their date of leaving.
User Access Management. Alteryx implements access control policies to support creation, amendment, and deletion of user accounts for systems or applications storing or allowing access to Licensee Content. Alteryx’s user account and access provisioning process assigns and revokes access rights to systems and applications, restricting access to only those Alteryx personnel and Subprocessors that require access, and solely to the extent so required, to fulfill Alteryx’s obligations under the Agreement or to comply with applicable law.
User Access Management. 5.1.1 Management of Client and Avanade user accounts within Avanade systems shall fol- low Avanade's corporate access control procedures. X X
5.1.2 During the course of a project, Client shall periodically verify that no Client Personal Data will be processed under the SOW other than the categories and types described in the SOW. X
5.1.3 Avanade will, during the course of the project, implement user account creation and deletion processes and controls, with appropriate approvals, for granting and revok- ing access to all Avanade systems and applications that store or enable access to Cli- ent Personal Data. In addition, Avanade shall designate an appropriate authority (as defined by the engagement) to approve creation of new user IDs, or elevated level of access for existing user IDs. X
5.1.4 Client will, during the course of the project, implement user account creation and de- letion processes and controls, with appropriate approvals, for granting and revoking access to all Client systems and applications that store or enable access to Client Per- xxxxx Data. In addition, Client shall designate an appropriate individual (as defined by the engagement) to approve creation of new user IDs, or elevated level of access for existing IDs. X
5.1.5 Avanade shall maintain a roster documenting access rights related to all Avanade Per- sonnel as appropriate; including level, type of access authorized, date access was granted and date access was revoked or terminated. X
5.1.6 Avanade will review the ACL at least quarterly, or as otherwise agreed to by the Parties in writing, to confirm that access levels are still appropriate for individual roles and to X Avanade Client confirm that access revocations for Avanade Personnel who departed from the en- gagement have been processed correctly.
5.1.7 Avanade and Client will grant system access to Avanade Personnel using the concept of Least Privileged Access, meaning individuals are only granted access to those re- sources and systems that are required to perform their role. X X 5.1.8 Avanade and Client will logically separate access between environments (e.g., devel- opment, testing, and production) using the concept of Least Privileged Access. X X 5.1.9 Avanade will revoke access of Avanade Personnel departing the project within 2 busi- ness days of departure, or as otherwise specified in the SOW, unless circumstances require immediate revocation. X
User Access Management. 5.1.1 Management of Client and Avanade user accounts within Avanade systems shall follow Avanade's corporate access control procedures. X X
5.1.2 During the course of a project, Client shall periodically verify that no Client Personal Data will be processed other than the categories and types described in this Agreement X
User Access Management. Data Processor shall ensure authorized user access only and prevent unauthorized access to systems and services. Minimum requirements:
a. A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
b. A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
c. The allocation and use of privileged access rights shall be restricted and controlled.
d. Asset owners shall review users' access rights at regular intervals.
e. The access rights of all employees and external party users to information and information Processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
