ISO 27002 Access Control Policy Rules

Different business applications have different security requirements. These are determined by identifying all the information that the business systems are carrying and through the individual risk assessments carried out for each critical business system; these risk assessments point at who should, and should not, be allowed access to the system.

Some information required for particular business applications may be processed by people who do not need access to the application itself (the ‘need-to-know’ principle in action). An example might be in an office workflow system, where the person who inputs a supplier delivery note to a purchase and payments application does not need access to the actual accounting or payment functions of the system. Such a person would need different access rights from those required by a person who triggers actual vendor payments.

The information classification system. User access rights should reflect the level of information that users are allowed to see.

There should be consistency between the access control and information classification policies of different networks within the same organization; inconsistency leads to incoherence, which leads to people taking short cuts (because of there being an excessive number of user names and passwords, and too much variation in responsibility), and this leads quickly to breakdowns in information security.

Relevant legislation, particularly data protection legislation, and any contractual obligations that the organization has to protect particular data should be analysed and taken into account.

There should be standard user access profiles for common job categories, as this makes it straightforward to manage and provide training. In situations where people with similar jobs have different access rights, security will break down as individuals unofficially share the most useful access profiles. Authorization to create a new user name should set out the areas of the network to which the user is to have access.

A distributed, networked environment that recognizes a number of different types of connections should consider all of them, so that, for instance, a user who can access something on the desktop can also do so remotely. The Microsoft Windows roaming profile makes this possible.

Segregation of duties should apply here as well: if the organization is large enough, different roles should be responsible for processing access requests, authorizing them and setting them up.

Access controls should be periodically reviewed; as a weakness in this control could provide access to sensitive and confidential information or systems, it is as important to monitor this as it is to monitor the activity of those who have access to the organization’s bank account.

Access rights should be removed when an employee is terminated.

source: IT Governance, Alan Calder & Steve Watkins