Access Control

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Secure areas of the organization cannot be accessed unnoticed. The premises are protected by appropriate access control. Only authorized persons have access to the secure areas.

To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for physical and logical access control.

Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.

All accounts, access rights and privileges should be traceable to the role responsible for them and the person who approved them.

The organization must develop, document, and implement procedures for logical and physical access control. These must take into account:

• Access to all assets, supporting functions and locations are managed on need-to-know, need-to-use and least privileges basis. Including remote and emergency access.
• User accountability, users actions must be identifiable
• Authentication methods must commensurate with the classification and overall risk profile of the assets. They must be strong methods that are based on leading practices. They must apply to all forms of access (remote, privileged, access to assets, etc.)

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

• how much information each user needs access to
• how widely the user should be able to edit data (read, write, delete, print, execute)
• whether other applications have access to the data
• whether the data can be segregated within the property so that sensitive data is less exposed

The organization shall ensure that the monitoring and management of remote connections is automated, that remote connections are encrypted to ensure their integrity and reliability, and that remote connections pass only through approved and managed Network Access Control (NAC).

The organization must also make possible for the remote connections to be closed within a specified time.

The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.

Identity verification must be performed according to pre-written and approved rules.

To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:

• User registration and deletion
• Allocation of access rights
• Reassessment of access rights
• Deleting or changing access rights

The implementation of these things must always take place through a defined, formal process.