The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management:
The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.
Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.
To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:
The implementation of these things must always take place through a defined, formal process.