T5.1.1 - ACCESS CONTROL POLICY Implementation Guidance
The entity shall establish an access control policy based on business and security requirements.
Back to T5.1.1 - P2 - ACCESS CONTROL POLICY
Asset owners should determine appropriate access rules, privileges and restrictions for specific user roles towards their assets, with the amount of detail and the strictness of the controls reflecting the associated information security risks.
Users and service providers should be given a clear statement of the business requirements to be met by access controls.
The policy should take account of the following:
- A. Security requirements of individual business applications
- B. Policies for information dissemination and authorization, e.g. the need to know principle and security levels and classification of information
- C. Consistency between the access rights and information classification policies of different systems and networks
- D. Relevant legislation and any contractual obligations regarding protection of access to data or services
- E. Management of access rights for users and mobile devices in a distributed and networked environment which recognizes all types of connections available
- F. Segregation of access control roles, e.g. access request, access authorization, access administration
- G. Requirements for formal authorization of access requests
- H. Requirements for periodic review of access controls
- I. Removal of access rights related to users and mobile devices
- J. Archiving of records of all significant events concerning the use and management of user identities and security credentials
- K. Privileged access roles
When using mobile devices, e.g. notebooks, palmtops, laptops, smart cards, and mobile phones, special care should be taken to ensure that business information is not compromised. The access control policy should take into account the risks of working with mobile computing equipment in unprotected environments.
The mobile related requirements should include physical protection, access controls, cryptographic techniques, backups, and virus protection. This policy should also include rules and advice on connecting mobile devices to networks and guidance on the use of these facilities in public places.
