Scribd
Upload
991 views7 pages

Access Control Policy

Uploaded by

Marsels
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
991 views7 pages

Access Control Policy

Uploaded by

Marsels
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

ACCESS

CONTROL
POLICY

1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Access Control Policy
Version Control
Owner Version Edited By Date Change History
IS Rep 0.1 Assent 19/01/2016 First Draft

Distribution
Held Format Location Comments
By
Digital / Physical

Status
X Status Approved By Date
X Working DD/MM/YYYY
Draft
Provisional Approval
Publication

Classification
X Confidential
Restricted
Unclassified

Relevance to Standard

Standard Clause Title

[ISO 27001:2013] [A9.1.1] [Access Control Policy]

License

Licensed by Assent Risk Management via Resilify.io Under a Creative Commons Share Alike License.

2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents

Access Control Policy_______________________________________________________________________________2


Contents_______________________________________________________________________________________________3
Access Control Policy_______________________________________________________________________________4
1.0 Overview______________________________________________________________________________________4
1.1 Principles______________________________________________________________________________________________4

2.0 Policy___________________________________________________________________________________________4
2.1 Security of Systems____________________________________________________________________________________4
2.2 Security of Networks and Services___________________________________________________________________4
2.3 Physical Security______________________________________________________________________________________5
2.4 Classification of Information_________________________________________________________________________5
2.5 Access Requests_______________________________________________________________________________________5
2.6 Access Authorisation__________________________________________________________________________________5
2.7 Access Administration________________________________________________________________________________6
2.8 Access Review_________________________________________________________________________________________6
2.9 Access Removal________________________________________________________________________________________6
2.10 Privileged Access______________________________________________________________________________________6
2.11 Legislation & Contractual Obligations_______________________________________________________________7
2.12 Logging & Monitoring_________________________________________________________________________________7

3.0 Related Policies_______________________________________________________________________________7

3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Access Control Policy

1.0 Overview
This Access Control policy defines the rules, rights and restrictions applied to users
for both logical and physical access to the organisation’s assets.

1.1 Principles

Need-to-know; you are only granted access to the information you need to
perform your tasks (different tasks/roles mean different need-to-know and
hence different access profile).

Need-to-use: you are only granted access to the information processing


facilities (IT equipment, applications, procedures, rooms) you need to perform
your task/job/role.

2.0 Policy

2.1 Security of Systems

The organization uses several systems to operate effectively, and it’s


important to maintain the confidentiality, integrity, and availability of these
information assets through this access control policy.

Threats associated with the information assets have been considered and
addressed as far as possible through the risk management process

2.2 Security of Networks and Services

Access to the organisation’s networks shall be limited to prevent


unauthorized and unintended consequences.

Devices will not be connected to the network without authorization from


the IT Department.

The WIFI connection details will not be shared without the authorization of
the IT Department.

Guests, visitors and third parties will use ONLY the visitor WIFI network
made available.
4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
2.3 Physical Security

The physical security of the organisation’s assets, including buildings and


offices, should be considered at all times.

Please use the access tokens provided to gain access to the buildings and
do not permit people to tailgate through open doors.  All visitors and third
parties must report to reception and sign in. 

Challenge any strangers on-site who do not appear to be accompanied.

Training in guidance for workplace security can be found here QEC UK -


Guidance for Workplace Security - Digital Lorators

2.4 Classification of Information

Information assets are classified in terms of their sensitivity and value to


the organization, as defined in the classification and handling policy.

When administering access to systems or physical assets, the gatekeeper.


will consider the classification of information that will be made available to
determine the levels of access required by individuals.

2.5 Access Requests

Access requests should be submitted to the gatekeeper by email. 

The job functions as described by the department manager should be


reviewed to ensure that the requested access is relevant and acceptable.

In the case of IT systems including Active Directory, a profile including


privileges may be copied from a colleague with the same job functions.

2.6 Access Authorisation

The managing director has overall governance of access control within the
company and may, for legitimate business reasons, grant or revoke
access at their discretion.

Department managers are responsible for determining the access levels


required by their staff and should, where possible, maintain security
groups.

5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
2.7 Access Administration

When an access request has been approved by the Gatekeeper, a record


of that decision will be maintained to allow an audit trail.

The gatekeeper will provide access to the user and inform them via an
appropriate method, so as to keep any username separate from a
password.

Where systems allow, a temporary password will be used, and the user
will be required to change their password at first log-in. 

2.8 Access Review

The access to systems will be reviewed on a regular basis to ensure that


users are still authorized to access each system and that the privilege
level assigned to that user is still acceptable.

Gatekeepers will be responsible for reviewing their own systems and may
need to refer to department managers for confirmation of user
requirements.

2.9 Access Removal

In cases of disciplinary or where an employee is within their probation


period, access should be removed immediately – including cancellation of
cards/fobs.

Where a notice period has been agreed, or the user is changing job function
within the company, access should be removed when it has been confirmed
by their line manager.

2.10 Privileged Access

All privileged access should be reviewed against the job function before the
details or assets (including access cards/fobs) are issued to the user.

The use of privileged accounts will be limited, and a uniquely identifiable


username will be used to enable all activity under an account to be traced
back to a single individual.

6
© Distributed by Resilify.io under a Creative Commons Share Alike License.
2.11 Legislation & Contractual Obligations

Occasionally there may be legal or contractual obligations related to particular


systems or clients, and where these arrangements exist, a designated
gatekeeper will be responsible for ensuring the all-applicable systems are
administered in-line with those requirements.

2.12 Logging & Monitoring

User activity is logged and may be monitored for the purposes of error
detection and security.

3.0 Related Policies

Classification and Handling Policy

System Gatekeepers
The organisation uses several systems to store data, and these are administered by
different people in the organisation. The table below shows the gatekeepers of those
systems, who you should go to for any of the above issues.

System Gatekeeper Contact Review Frequency


Active Directory Annual
Mail Server Annual
Intranet Annual
CRM Annual
Accounting Annual
Physical Access Control System Annual
Intruder Alarm Annual
CCTV Annual
Website Annual
WIFI Annual
KeyCode Locks Changed Annually

7
© Distributed by Resilify.io under a Creative Commons Share Alike License.

ACCESS CONTROL POLICY 1 © Distributed by Resilify.io   under a Creative Commons Share Alike License .
Access Control Policy Version Control Owner Version Edited By Date Change History IS Rep 0.1 Assent 19/01/2016 First Draft Di
Contents Access Control Policy_______________________________________________________________________________2 Contents______
Access Control Policy 1.0 Overview This Access Control policy defines the rules, rights and restrictions applied to users fo
2.3 Physical Security The physical security of the organisation’s assets, including buildings and offices, should be conside
2.7 Access Administration When an access request has been approved by the Gatekeeper, a record of that decision will be main
2.11 Legislation & Contractual Obligations Occasionally there may be legal or contractual obligations related to particular s

You might also like