Create guidelines for access control

To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for physical and logical access control.

Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.

All accounts, access rights and privileges should be traceable to the role responsible for them and the person who approved them.

Personnel must have security guidelines that deal with e.g. the following topics:

• Using and updating mobile devices
• Storing and backing up data
• Privacy
• Using email
• Handling of printouts, papers and files
• Reporting incidents
• Scam prevention

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Access to the organisation's systems is granted and managed according to principle of least privilege. No further access will be granted to the user when necessary.

The permissions will be checked and the need will also be reduced if the user has the rights user needed to perform the tasks but no longer needs them.

The organization must use unique usernames in order to associate users and assign responsibility for them.

Shared usernames are not allowed and users are not allowed to access information systems until a unique username is provided.

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

• how much information each user needs access to
• how widely the user should be able to edit data (read, write, delete, print, execute)
• whether other applications have access to the data
• whether the data can be segregated within the property so that sensitive data is less exposed

One way to manage the risks associated with shared usernames is to manage the shared password and its users directly through a password management system.

In this case, it is possible to act in such a way that, for example, only an individual person actually knows the password and the persons who use it.

Reuse identities whenever one can across systems, sub-systems and applications. Ideally this would be done with single sign-on.

The organization should remind the employees that it is their responsibility to keep password and secrets safe. They should never share them with anyone, including colleagues and superiors.

They should also always lock they devices when leaving them.