Access control policy
Who has access to do what is a fundamental mechanism to prevent unauthorised and accidental loss of confidentiality, integrity and availability. Restricting access to least privilege reduces the probability and impact of compromise.
To limit access to information, information systems and networks to authorised users
This policy applies to all users, networks and information systems
- Access to information and information systems will be role based.
- Access rights will be determined by the business role(s).
- Access rights will be reasonably restricted (need to know).
- Access rights will be reviewed periodically for correctness.
- Access will be limited to authorised and authenticated users.
- Access to information systems and networks will be via secure login.
- Access will be monitored and logged.
- Access rights will be removed or revised promptly subject to termination or change of role.
- Users will be assigned a unique ID which must not be shared or repurposed.
- Privileged access rights will be authorised on a need to know basis.
- Privileged rights will be assigned to a unique ID not for general use.
- Privileged utility programs will be limited to privileged users.
- Users identity must be verified before providing new or replacement temporary passwords.
- Temporary passwords should be unique and forced to be changed on initial use.
- Users must adhere to the company’s password policy.