CHAPTER 02: Controlling access to information and system

Section 01 Controlling Access to Information and Systems

Policy 020101 Managing Access Control Standards
POLICY STATEMENT
“Access control standards for information systems must be established by management and should incorporate the need to balance restrictions to prevent unauthorized access against the need to provide unhindered access to meet business needs.”

Policy 020102 Managing User Access
POLICY STATEMENT
“Access to all systems must be authorized by the owner of the system and such access, including the appropriate access rights (or privileges) must be recorded in an Access Control List. Such records are to be regarded as Highly Confidential documents and safeguarded accordingly.”

Policy 020103 Securing Unattended Workstations
POLICY STATEMENT
“Equipment is always to be safeguarded appropriately – especially when left unattended.”

Policy 020104 Managing Network Access Controls
POLICY STATEMENT
“Access to the resources on the network must be strictly controlled to prevent unauthorized access. Access to all computing and information systems and peripherals shall be restricted unless explicitly authorized.”

Policy 020105 Controlling Access to Operating System Software
POLICY STATEMENT
“Access to operating system commands is to be restricted to those persons who are authorized to perform systems administration / management functions. Even then, such access must be operated under dual control requiring the specific approval of senior management.”

Policy 020106 Managing Passwords
POLICY STATEMENT
“The selection of passwords, their use and management as a primary means to control access to systems is to strictly adhere to best practice guidelines. In particular, passwords shall not be shared with any other person for any reason.”

Policy 020107 Securing Against Unauthorized Physical Access
POLICY STATEMENT
“Physical access to high security areas is to be controlled with strong identification and authentication techniques. Staff with authorization to enter such areas is to be provided with information on the potential security risks involved.”

Policy 020108 Restricting Access
POLICY STATEMENT
“Restricted areas for critical IT systems shall be set up. Access controls are to be set at an appropriate level which minimizes information security risks yet also allows the organization’s business activities to be carried without undue hindrance.”

Policy 020109 Monitoring System Access and Use
POLICY STATEMENT
“Access to critical IT systems is to be logged and monitored to identify potential misuse of systems or information.”

Policy 020110 Giving Access to Files and Documents
POLICY STATEMENT
“Access to information and documents is to be carefully controlled, ensuring that only authorized personnel may have access to sensitive information.”

Policy 020111 Managing Higher Risk System Access
POLICY STATEMENT
“Access controls for highly sensitive information or high risk systems are to be set in accordance with the value and classification of the information assets being protected.”