Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

08) Does your organisation have a documented Access Control Policy?

August 30, 2022
Security Governance
Access Control

Answer yes if your organisation has a documented Access Control Policy that has been reviewed in the last year. Please provide the Access Control Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.

What is it?

An access control policy outlines the rules relating to authorising, monitoring and controlling access to the various accounts, IT facilities, and the data they house, in your environment. In the most basic sense it ensures data and systems can only be accessed by those that should have access. There are also levels and types of access so that individuals are limited to only being able to perform the functions or access the data relevant to their role.

Without such measures everyone would have access to everything. This not only means sensitive information and systems could be accessed by individuals that have no need to do so, but it also become very difficult to audit who did what. Therefore, it’s important to establish which individuals and groups of individuals shall have access to which systems and data and with which levels of privilege.

Administrative accounts need to be managed with additional care as they can typically override the limitations of lower accounts. This not only grants greater access, but typically allows administrators to operate as other individuals. While this can be necessary under certain circumstances such as when retrieving files or emails from an employee that has left the organisation, the organisations must have strict policies in place to reduce the possible scope of abuse.

Why should I have it?

No amount of structure, system maintenance, policy, and security controls can be effective if the who and how (and possibly the when) of access to resources is not defined. An access control policy dictates how access and privileges to specific resources are allocated to specific accounts and therefore individuals.

For a customer of a supplier, the presence of an access control policy provides assurance that the provider has reduced risk and exposure of systems and data to only those that have an approved business need and responsibility for them.

How to implement the control

An access control policy typically needs to take into consideration the different types of systems and data in your organisation as well as the different job roles present and what kind of access each role needs and, perhaps more importantly, what kind of access they do not need.

With this information in hand it becomes possible to create a high level policy that can guide the implementation of processes and controls for the different areas of the business.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.