Purpose: To define user rights and the rules for holding privileges within the organization.
Scope: Covers all users and units that make use of information technology resources.
Responsible parties: All senior management is responsible for ensuring that all employees act in accordance with this policy.
Implementation: Privilege Management
Privileges are limited solely to folder access, software installation, connection durations, network settings, general internet use, guest internet access, and remote work / access. They are reviewed at least once every 12 months, and re-authorizations are also carried out upon hiring, departure, or change of duty.
For senior managers
- The request is sent to the Manager. The Manager sends an approval note to the system administrator for the request to be fulfilled.
If it belongs to organization personnel
- The employee submits the privilege request to their supervisor.
- If the supervisor accepts, the request is sent to the Manager.
- After evaluating the request, if the Manager deems it appropriate, they send an approval note for the privilege to the IT Service Provider.
- Privilege access is granted for the period the Manager deems appropriate. At the end of the period, the granted right is removed by the IT Service Provider.
For service providers
- The relevant supervisor of the service provider submits the privilege request.
- The request is sent to the Manager.
- Privilege access is granted for the period the Manager deems appropriate. At the end of the period, the granted right is removed by the IT Service Provider.
User Rights
Software Installation
- Storing or installing software not related to work (including installation files) is prohibited under all circumstances.
- Users may not install software on their computers without the Manager’s approval — even if technically possible — as it may lead to copyright infringement and technical problems.
- If there is a need to install work-related software, the opinion and approval of the IT Service Provider must be obtained.
- Software such as security analysis and system management tools are installed on computers and workstations only by the IT Service Provider. Installation is carried out with the Manager’s approval.
- The installation and use of system utility programs is permitted only for the information technology department.
- System utility programs are installed and used only to resolve user issues. They are not used in system administration.
- In very specific cases requiring remote work with restricted access, system utility programs may be used. In such cases, a request must be opened and the Manager’s approval obtained.
- Once the operation is complete, the system utility program is terminated immediately.
- Connection durations for software use are agreed upon with the relevant software owners. They are applied to groups defined within the domain.
Configuration and Security Settings
- Users may not lower the level of security settings on their computers, even if technically possible.
- Examples of security settings include: Internet Explorer security zone settings affecting MS Internet Explorer and MS Outlook, antivirus program settings, operating system update settings, personal firewall settings, BIOS settings, and other hardware and software security settings.
- Users may not run new network services (such as a web server or database server) from their personal computers, even if technically possible.
- They may not define new users and user groups on their computers, nor change the rights of existing users and user groups.
- If configuration and security settings must be changed as required by their needs, the comment and approval of the IT Service Provider is mandatory.
- Configuration and security setting changes may be made only by the IT Service Provider and for the period required.
Right to Access Networks and Network Services
- The access permissions of users in our company are limited to the area of their own units.
- Access restrictions are managed via Active Directory.
- Authorization charts for access restrictions have been created, are kept current, and are reviewed after employment-related changes.
- Access to printers and similar resources over the network is configured by the IT Service Provider.
- When access to applications on other subnetworks over the network is required, this access is configured by the IT Service Provider.
- Local administrator privileges have been removed except for the “power user / local admin” group.
- Membership in the power user group lasts for the period defined by the Manager.
- For power-user group rights, the user first submits a request to their administrative supervisor. If the supervisor deems the request appropriate, they consult the Manager.
- If the Manager deems the request appropriate, they open a ticket with the IT Service Provider via the help desk.
Document Access Rights
Based on the duty-change notification from the Human Resources department, access settings in the current department folder must be removed and access settings to the new department folder must be configured.
For new personnel, a written (e-mail) request must be received from the human resources unit specifying which folder and folder permission rights apply. In the absence of a written request, no access-rights change is carried out.
The IT Service Provider is obliged to check and authorize the document access permissions of all computer users at least once every 12 months and upon changes of duty.
Folder Access Permissions
- The Millennium New Shared folder is configured so that only users included in the domain infrastructure can log in.
- Department users have full authority over the folders created for each department; access permissions to other departments’ folders are granted subject to Manager approval.
Device Usage
- Within the scope of user rights, the USB ports (external disks) of all users are disabled. When needed, time-limited and limited-number authorization is granted by the IT Service Provider with the relevant Manager’s approval.
- If use is mandatory, usage rights are granted according to Privilege Management. Responsibility lies with the user.
- Consultants, customers, and visitors are not admitted to the corporate network.
- Service providers’ use of their devices is subject to permission, and privilege management is applied.
- A “device identification policy” is active over the domain. A log is kept of every connected device.
