Access permissions and authorizations

Access to the organisation's systems is granted and managed according to principle of least privilege. No further access will be granted to the user when necessary.

The permissions will be checked and the need will also be reduced if the user has the rights user needed to perform the tasks but no longer needs them.

Organisation should have processes for ensuring that conflicting responsibilities are segregated to reduce opportunities for misuse of the organization’s assets.

Care should be taken e.g. in relation to a single person being able to process data without detection. Often also separating the initiation of an event from its authorization is a good practice.

When direct segregation of duties is hard to achieve, the following principles can be utilized:

• High-level segregation of information security responsibilities
• Supporting segregation with good monitoring, audit trails and management supervision

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

• how much information each user needs access to
• how widely the user should be able to edit data (read, write, delete, print, execute)
• whether other applications have access to the data
• whether the data can be segregated within the property so that sensitive data is less exposed

The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.

Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.