IT Access / Provision / Termination of User Accounts Work Instruction / Doc Type:
WI / Doc Number:
3.4.2.1
Issuing COE/Unit:
Finance:
Information
Technology / Issuing Department:
IT Service Desk / Approved by:
CIO / Original Date of Issue:
06/07/10 / Revised/Reviewed:
8/14/17 / Version #:
3.0 / Page:
1 of 4
1.0PURPOSE
The purpose of this work instruction establishes responsibilities and service timelines for the provision andtermination of access to DynCorp lnternational's IT network, systems, and applications. Itsupports an Identity Lifecycle Management culture for cost-effective management of useraccounts, safeguards the computing environment from potential harm by disgruntled exemployees,and establishes the service priority of establishing or disabling IT user accounts.
2.0APPLICABILITY
This work instruction is applicable to DynCorp International (DI) LLC, and its majority owned subsidiaries.
3.0CORE PROCESS
This categorization identifies the owning Core Process, as previously identified by the Enterprise Performance Excellence Quality Systems (QS) Team for review. Go to the GEM for a list of all of the Core Processes & Definitions.
3.1Information Technology (IT)
4.0SCOPE
All personnel assigning or removing access to any DJ application or system must follow these
work instructions.
5.0ROLES & RESPONSIBILITIES
5.1IT Personnel: All personnel assigning or removing access to any DJ application or system must follow thesework instructions.
6.0DEFINITIONS
6.1Not Applicable
7.0WORK INSTRUCTION
Work InstructionVisual Overview
N/A
Work Instruction Description
7.1Identity Management - Before IT grants access to DI networks and systems, HumanResources assigns a unique PeopleSoft Employee ID number to the person requiringaccess and captures required information. Exceptions may be made in specialcircumstances, for example SFTP.
7.2Anyone responsible for granting or approving access to DI computer systems must verifythat a PeopleSoft identifier is listed in PeopleSoft. It is preferred that a Supervisor be listedin PeopleSoft.
7.3Access Requirements for Applications
7.3.1 Wherever the functionality is available in an application:
7.3.1.1The application uses the PeopleSoft ID as a basis for access control, and
7.3.1.2The PeopleSoft ID is included both in Active Directory and in account informationfor the application.
7.3.2This requirement must be met by new applications, and all new applications mustfollow the IT Project Governance procedure.
7.3.3Applications that cannot meet this requirement will not be placed on the DI networkwithout a written exception from IT Security.
7.4Provisioning of User Accounts
7.4.1Users must accept and agree to the policies, procedures and work instructionsgoverning access to IT networks and systems before they will be allowed to log ontothe DI network.
7.4.2The user's manager should authorize access only if the request meets legitimatebusiness needs. IT personnel granting access may reject user forms that do notappear to be properly authorized.
7.4.3Requester responsibilities - Requester responsibilities include the following:
7.4.3.1To request an account or a change to basic access after the on-boarding process,a properly signed and approved Network Access Form must be submitted to IT via a Service Desk ticket. Each ticket should only include only one completed NAF unless proper exception has been allowed, see step 7.4.
7.4.4Manager or Supervisor Responsibilities - The manager or supervisor of the person forwhom access is being requested has the following responsibilities:
7.4.4.1Confirm that the access being requested is appropriate for the person's role andapprove the request.
7.4.4.2For non-DI employees with access to DI networks and systems, access will expire based on contract end date in PeopleSoft. It is the manager's responsibility to notify Human Resources promptly of any change to the contract end date.
7.4.5HR responsibilities - HR responsibilities include the following:
7.4.5.1Assign unique PeopleSoft ID to the person requiring access and capture requiredinformation.
7.4.5.2Request Network Access, e-mail access, and payroll access.
7.4.5.3Assemble signed copies of all necessary user access forms.
7.4.5.4Assemble signed copies of all requisite IT policies, procedures and workinstructions.
7.4.5.5Ensure that supervisor information is entered in PeopleSoft.
7.4.5.6Keep electronic copies of the forms mentioned above in a secure location andmake them available when requested by DI auditors.
7.4.5.7For non-DI employees requiring access to DI networks and systems, populatePeopleSoft with a valid contract end date not to exceed 365 days from date of hire.
7.4.6IT responsibilities include the following:
7.4.6.1Onboarding
7.4.6.1.1Provide an Active Directory account, e-mail address and mailbox followingreceipt of:
7.4.6.1.1.1.Service Desk request, and
7.4.6.1.1.2.Properly signed and approved Network Access Form package.
7.4.6.1.2If applicable, provide access to a specific application based on proof ofacceptance and agreement to policies, procedures and work instructionscontained within the Network Access Form package.
7.4.6.1.3Verify the user has a PeopleSoft ID and enter the unique PeopleSoft ID toidentify each person in Active Directory and in applications where functionalityis available.
7.4.6.2VPN access
7.4.6.2.1Provide secure remote Virtual Private Network (VPN) access from DIworkstations based on approved Network Access Forms.
7.4.6.3Non-DI employees - In general, accounts provided to contractors or other non-DIemployees have a limited term. Contractor accounts of all types are disabled whenthe expiration date is reached based upon the contract end date in PeopleSoft.
7.4.6.4User Access forms
7.4.6.4.1In order for an account to be created after the on-boarding process is complete,a properly signed and approved Network Access Form package
7.4.7The IT Sr. Director of Operations or designee authorizes, as appropriate, all requests for administrative or root level access. The IT Sr. Director of Operations or designeealso performs user access re-certification for these accounts for access review.
7.4.8User Accounts are provided within ten (10) business days of receipt of requests thatmeet this Work Instruction.
7.5Disabling User Accounts
7.5.1Manager or Supervisor Responsibilities - Responsibilities of the manager orsupervisor of any person with access to DI networks or systems include the following:
7.5.1.1Notify Human Resources promptly when the person is no longer affiliated with DI.
7.5.2HR responsibilities - HR responsibilities include the following:
7.5.2.1Upon notification by manager or supervisor, update PeopleSoft to indicate thestatus and add the user to DynCorp Ad Hoc Term HR Generalist site.
7.5.2.2In general, user accounts are disabled for individuals on extended leave (morethan 30 days). IT reserves the right to stipulate, on a case-by-case basis, takingrisk into consideration, which accounts to disable
7.5.3IT responsibilities include the following:
7.5.3.1User de-provisioning by IT will be targeted for completion within 24 hours for the following applications:
7.5.3.1.1Active Directory
7.5.3.1.2VPN
7.5.3.1.3Administrative and root level accounts
7.5.3.1.4Database Administration accounts
7.5.3.1.5Web-enabled applications accessible from the Internet
7.5.3.2Financially significant applications not mentioned above will be disabled within 5business days.
7.5.3.3IT will audit user accounts for activity and will disable accounts after 180 of inactivity.
8.0DOCUMENTSREFERENCED WITHIN
8.1Procedure(s) (PR)
8.1.1 3.4.1 Project Governance Procedure
8.1.2 3.4.2 Network Access and Password Requirements
8.2Form(s) (FO)
8.2.1 3.4.2-1 Network Access Form (NAF) and User Acceptance (UA)
9.0ATTACHMENTS / EXHIBITS
9.1None
10.0REVISION HISTORY
**All prior versions of the document will be found within the Version History of the GEM. To obtain prior versions, email .
Version # / Date Revised / Reviewed / Summary of Change2.0 / 06/19/17 / Re-activated document from previously archive/inactive status; revised to current format/template; made minor document edits to make document current.
3.0 / 8/14/17 / Annual Review, Header to read as issuing COE/Unit to read Finance: Information Technology
© 2017 DynCorp International (DI). All rights reserved. Uncontrolled if printed. Before using this document, the reader is responsible in ensuring that it is the most current version available by comparing it with the online (master) version. Information contained herein is proprietary to DI.