NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
1.0
Date Published: 25 November 2015
Summary of Changes
This procedure has changed its number from G 0900 to enable it to come under the
same W section as the joint Essex Police and Kent Police Information Management
policies and procedures. This is an Essex Police ONLY document. It has also been
put onto the new corporate template.
2.0
What this Policy is About
This document describes the Essex Police Identity Access Management Policy as
approved by the IMPACT Programme Management Board and specifically relates to
the Identity Access Management (IAM) managed services provided by Siemens
Enterprise Communications and the Police ICT Company Directorate (formerly the
NPIA).
The Head of Information Management will be the designated IAM system owner.
IAM is a general term used for software, services and organisational structures that
create and manage identities, for people or systems, and control and record access to
information systems. The general principles are:
Formal sponsorship of applicant by business sponsor;
Formal identification and approval of applicant by business approver;
Registration of approved applicant by IAM registrar;
Approval of a registered applicants IAM identity by IAM approver;
Assignment of approved system(s) access and role(s) by IAM registrar;
Approval of provisioned system(s) access and assigned role(s);
The issuance and management of identity credentials (username and password or
smartcard and PIN);
The maintenance of approved user identities, e.g. changes of name;
Maintenance of an identities status (active, deactive or terminated);
The transfer of ownership of IAM identities between IAM organisations.
Detailed information regarding the IAM Managed and Central Services is published on
the College of Policing ‘POLKA’ website which shall be treated as the definitive
primary source for IAM related matters and guidance. It is recommended that all IAM
administrators familiarise themselves with the IAM Guide.
Compliance with this policy and any linked procedures is mandatory.
NOT PROTECTIVELY MARKED
Page 1 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
3.0
Date Published: 25 November 2015
Statement of Policy
3.1
Identity Access Management Processes
The IAM process has two distinct areas as follows:
The management of IAM identities to eGIF L3 standard, this is the responsibility of
the force HR/Business Centre. The main responsibilities are as follows:
o The creation of identities to eGIF L3 standard;
o The maintenance of identities to eGIF L3 standard;
o The maintenance of an identities status;
o The transfer of identities between forces and other agencies.
The provisioning of applications access, this is the responsibility if the IT
applications provisioning team. The main responsibilities are as follows:
o The provisioning of applications;
o The provisioning of roles within provisioned applications;
o The provisioning and management of user names, passwords;
o The provisioning and management of user smartcards.
3.1.1 Confidential Environment
The IAM MS application is hosted on a confidential (Impact Level 4) network and as
such can only be accessed via workstations located in an approved location. All
requests for an IAM MS workstation must be approved by the Force Information
Security Officer prior to installation. Relocation of the approved workstation within or
outside of the approved location shall also be approved by the Force Information
Security Officer prior to relocation.
3.1.2 IAM User Identity Registration
All applicants are required to complete form A651 - IAM User Registration and agree
to the terms of the IAM Managed Service Issuing Authority End-entity Agreement.
The purpose of this form is to ensure that all applicants meet and understand the
following:
The person has a confirmed business need;
The person is adequately identified to eGIF level 3;
The person is appropriately security cleared;
The person agrees to the terms and conditions of IAM Managed Service Issuing
Authority.
3.1.3 IAM Device Registration
An IAM device is typically any IT hardware that makes a connection to the IAM MS,
e.g. a server for uploading force system data to an IAM secured application.
NOT PROTECTIVELY MARKED
Page 2 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
Date Published: 25 November 2015
All applications for an IAM device identity registration shall be made using the national
form available on College of Policing POLKA website.
3.1.4 Applicant Business Sponsors and Approvers
All applicants shall have their application signed by a business sponsor and a
business approver. An applicant’s business sponsor and business approver cannot
be the same person. The business sponsor and/or approver cannot undertake an
IAM administration role for an application where they are a business
sponsor/approver:
Business sponsor: Usually the applicant’s line manager or their delegate.
However in the case of a new or transferring employee a Human Resources
Assistant (HRA) may act as the business sponsor;
Business Approver: Usually the applicant’s unit manager or their delegate.
However in the case of a new or transferring employee a Human Resources
Business Partner (HRBP) may act as the business approver.
3.1.5 Identity Verification
Business approvers are required to verify the identity of IAM applicants by completing
the Business Approver declaration that the evidence presented conforms to the
requirements as stated within form A651 - IAM User Registration Form.
It is not mandatory for any identification evidence to be retained with the completed
IAM User Registration Form. Once the business approver has completed the
declaration the evidence may be retained by the applicant.
3.1.6 Vetting Requirements
All applicants, including non-police personnel, requiring an IAM identity shall be vetted
to at least the minimum standard required by the force for permanent or temporary
employment. IAM registration cannot be initiated until the appropriate vetting level
and the effective dates are confirmed by the corporate vetting unit.
All IAM administration roles are designated posts and require vetting to Management
Vetting (MV) level as per the force vetting policy.
3.1.7 IAM Identity Amendments
All amendments to an IAM identity shall be formally approved by the completion of
form A652 - IAM User Variation Form and approved by an appropriate business
sponsor.
NOT PROTECTIVELY MARKED
Page 3 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
Date Published: 25 November 2015
3.1.8 Transference of IAM Identities between IAM Organisations
IAM identities have one unique national IAM identity. If an IAM user is transferring to
or leaving to join another police force or IAM managed service organisation their
identity registration shall be transferred to their new employer. All transfers shall be
formally requested and approved by the completion of form A652 - IAM User Variation
Form and approved by an appropriate sponsor.
3.2
Provisioning of IAM Secured National Application
3.2.1 Request for, Access to or Removal of, IAM Secured Applications
All requests for access to IAM secured applications shall be made using the relevant
IAM Secured National IT Application Request form.
3.2.2 Applicant Business Sponsors and Approvers
All applicants shall have their application counter signed by a business sponsor and a
business approver. An applicant’s business sponsor and business approver cannot
be the same person. The business sponsor and/or approver cannot undertake an
IAM administration role for an application where they are a business sponsor/approve:
Business sponsor: Usually the applicant’s line manager or their delegate;
Business Approver: Usually the applicant’s unit manager or their delegate.
3.2.3 Vetting Requirements
All applicants, including non-police personnel, requiring access to IAM secured
national IT applications shall be vetted to a level appropriate to the application(s)
and/or role(s) requested prior to the application(s) and/or role(s) being provisioned.
All IAM and SUN IDM administration roles are designated posts and require vetting to
Management Vetting (MV) level as per the Force Vetting Policy.
3.2.4 Training
All applicants, including non-police personnel, requiring access to IAM secured
national IT applications shall be trained to a level appropriate to the application(s)
and/or role(s) requested prior to the application(s) and/or role(s) being provisioned.
Confirmation of the successful completion of any training for the requested
application(s) and/or role(s) will be required prior to provisioning of the application(s)
and/or role(s).
NOT PROTECTIVELY MARKED
Page 4 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
Date Published: 25 November 2015
3.2.5 Smartcard Issuance
The issuance of smartcards for access to Impact Level 4 (CONFIDENTIAL)
applications shall be face-to-face. All recipients of smartcards shall complete a
smartcard liability declaration (form A656) prior to issuance of the smartcard.
3.2.6 Confidential Environment
All users of IAM nationally secured applications shall be sited in an environment
appropriate to the requested applications rating, e.g. Impact Level 3 (RESTRICTED)
or Impact Level 4 (CONFIDENTIAL).
All requests for access to Impact Level 4 (CONFIDENTIAL) applications shall be
approved by the force Information Security Officer or their delegate prior to
provisioning of the application(s).
3.2.7 Documentation Storage and Retention
All completed IAM documentation and any retained evidence shall be stored within the
applicants HR file as either a hard copy (paper) or a scanned file (electronic). The
original documentation may be destroyed once a scanned file (electronic) exists.
All IAM documentation (paper or electronic) shall be retained for audit purposes, for
the duration of an identities employment and thereafter for a minimum of three years.
3.3
Responsibilities
3.3.1 Separation of Duties
It is important when assigning individuals to the roles listed below that separations of
duties requirements are met. In the case of IAM, one person will initiate the action,
but it will not take effect until a second person, the "approver", has examined it, and if
it is valid, given approval. An approver takes responsibility for the action he or she
approves and will be held accountable for errors, omissions or irregularities. The
adherence to separation of duties is an auditable requirement.
The separation of duties matrix can be found in the IAM Guide, section 6.1 on the
College of Policing ‘POLKA’ website.
3.3.2 Business Sponsor
The role sponsoring the user’s application, typically the users immediate line manager
but may be a Human Resources Assistant. Responsibilities include:
Identification of the user who has a business need to access IAM secured
applications;
Sign the document ‘IAM Registration Form’;
NOT PROTECTIVELY MARKED
Page 5 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
Date Published: 25 November 2015
Confirm that all prerequisite training has been completed;
Inform the IAM registrar if a user no longer requires access to an IAM secured
national application.
3.3.3 Business Approver
The role approving the user’s application, the business sponsor and business
approver cannot be the same person. Typically the business sponsors immediate line
manager but may be a Human Resources Business Partner. Responsibilities include:
Verify and validate the user identity;
Approve a new user registration;
Approve changes to be made by the identity registrar;
Approve the suspension, termination or reactivation of a user;
Escalate any issues during the approval process to business sponsor.
3.3.4 Identity Registrar (Business Centre)
The role responsible for creating and managing user identities within the IAM
managed service, typically fulfilled by a Business Centre Administrator.
Responsibilities include:
Ensuring that the document “IAM Registration Form has been fully completed;
Create the identity in the IAM CS identity directory for the user;
Modify the user record in the IAM identity directory;
Escalate any issues to business approver.
3.3.5 Identity Approver (Business Centre)
The role responsible for approving user identities created by the identity registrar and
typically fulfilled by a Business Centre Team Leader. Responsibilities include:
Making sure that the information that has been entered is correct and in alignment
with the documentation;
Formally approve the user identity;
Escalate any issues to the Identity Registrar.
NOT PROTECTIVELY MARKED
Page 6 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
Date Published: 25 November 2015
3.3.6 Identity Registrar (IT Applications)
The role responsible for provisioning applications and application roles within the IAM
managed service, typically fulfilled by an IT administrator. Responsibilities include:
Ensuring that the document ‘IAM Secured National IT Application Request’ has
been completed correctly;
To provision the approved applications and roles;
Create and maintain user names/passwords and request smartcards;
Escalate any issues to business approver.
3.3.7 Identity Approver (IT Applications)
The role responsible for approving provisioned applications and application roles
within the IAM managed service, typically fulfilled by an IT administrator.
Responsibilities include:
Making sure that the information that has been entered is correct and in alignment
with the documentation;
To approve/deny the requested applications;
To approve/deny requests for smartcards;
Escalate any issues to the Identity Registrar.
3.3.8 Card Approver (IT Applications)
The role responsible for approving the issuance of a smart card to a user; typically
fulfilled by an IT administrator. Responsibilities include:
Approving/denying request for smartcards;
Escalate any issues to Business Approver.
3.3.9 Card Issuer
The role responsible for physically printing and issuing a smart card to a user; typically
fulfilled by an IT administrator. Responsibilities include:
Verify the identity of the user prior to smartcard issuance;
Assist the user in testing the issued card and confirming that it can be used to
access national applications;
Issuing smartcards;
Verify that the user has signed the IAM Managed Service Issuing Authority Endentity Agreement;
Verify that the user has signed form A656 - Essex Police Smart Card (Device)
Security Personal Liability Form;
To unlock smartcards if the user is unable to use the self-service option;
The termination of smartcards as requested.
NOT PROTECTIVELY MARKED
Page 7 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
4.0
Date Published: 25 November 2015
Implications of the Policy
4.1
Finance / Staffing / Training / Other
Siemens PLC apply an annual charge for the issuance of each IL4 Confidential
(smartcard) credential. Therefore the on-going need for each IL4 credential shall be
reviewed annually to ensure the cost impact to the force is minimised.
Essex Police may incur annual charges for the registration and maintenance of
partner agency identities.
All IAM administrators are required to complete CBT packages in relation to Data
Protection, Information Security and Protective Marking that are available via the
Information Management website.
Non-Essex police personnel requiring access to IAM protected applications shall
complete form A651 - IAM application form. Their IAM sponsor and approver, who
cannot be the same person, must be permanent Essex Police employees.
Prior to the provisioning of any IAM protected application(s) for non-Essex Police
Personnel Information Management shall confirm that a valid information sharing
agreement exists and has been published on the force library of agreements.
4.2
Risk Assessment(s)
The Corporate Risk Register contains a risk for Information Security.
4.3
Equality Impact Assessment
This procedure has been assessed with regard to an Equality Impact Assessment. As
a result of this assessment it has been graded as having a low potential impact as the
proposals in this procedure would have no potential or actual differential impact on
grounds of race, ethnicity, nationality, gender, transgender, disability, age, religion or
belief or sexual orientation.
5.0
Consultation
Information Technology Department;
Human Resources Department;
Business Centre;
Information Security;
Finance Department
Police ICT Company, Home Office
NOT PROTECTIVELY MARKED
Page 8 of 9
NOT PROTECTIVELY MARKED
POLICY – Identity Access Management
Number: W 3000
6.0
Date Published: 25 November 2015
Monitoring and Review
This policy will be reviewed by or on behalf of the Head of Information Management
within three years from the date of publication to ensure it remains accurate and fit for
purpose.
7.0
Related Force Policies or Related Procedures
W 1000 Policy - Information Management and Assurance
D 2300 Policy - Police National Database (PND)
W 3001 Procedure - Identity Access Management, Use of
W 3002 Procedure - SUN Identity Management, Use of
8.0
Other Source Documents, e.g. Legislation, Authorised Professional
Practice (APP), Partnership Agreements (if applicable)
Identity Access Management, IAM Guide (referenced and published on the
College of Policing ‘POLKA’ website
Form A651 Identity Access Management (IAM) Registration Form
Form A652 Identity Access Management (IAM) Variation Form
Form A656 IAM Smart Card (Device) Security Personal Liability Form
Form A666 Identity Access Management (IAM) Variation Form, Removal of
Application Access
8.1
Glossary
eGIF
HRA
HRBP
IAM
IAM MS
PIN
PND
POLKA
SUN IDM
e-Government Interoperability Framework
Human Resources Assistant
Human Resources Business Partner
Identity Access Management
Identity Access Management, Managed Service
Personal Identification Number
Police National Database
Police Online Knowledge Area (Owned by the College of Policing)
Sun Micro Systems, Identity Manager
NOT PROTECTIVELY MARKED
Page 9 of 9