An access control policy should be established, documented and periodically reviewed, based on business needs and external requirements. Access control policy and associated controls should take account of: - Security issues for particular data systems and information processing facilities, given business needs, anticipated threats and vulnerabilities; - Security issues for particular types of data, given business needs, anticipated threats and vulnerabilities; - Relevant legislative, regulatory and certificatory requirements; - Relevant contractual obligations or service level agreements; - Other organizational policies for information access, use and disclosure; and - Consistency among such policies across systems and networks.
Access control policies generally should include:
- Clearly stated rules and rights based on user profiles;
- Consistent management of access rights across a distributed/networked environment; - An appropriate mix of administrative, technical and physical access controls; - Administrative segregation of access control roles -- e.g., access request, access authorization, access administration; - Requirements for formal authorization of access requests
- Requirements for authorization and timely removal of access rights ("de-provisioning").
The following procedure guide would allow Ken 7 Windows Limited IT department to easily manage their access control changes:
Ken 7 Windows Limited has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Access Control standards that constitute Ken 7 Windows Limited policy. Each Ken 7 Windows Limited Business System is then bound to this policy, and must develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.
Access Control Procedures: All Ken 7 Windows Limited Business Systems must develop, adopt or adhere to a formal, documented access control procedure that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
Account Management: All Ken 7 Windows Limited Business Systems must: - Identify account types (i.e., individual, group, system, application, guest/anonymous, and temporary). - Establish conditions for group membership.
- Identify authorized users of the information asset and specifying access privileges. - Require appropriate approvals for requests to establish accounts. - Establish, activate, modify, disable, and remove accounts. - Specifically authorize and monitor the use of guest/anonymous and temporary accounts. - Notify account managers when temporary accounts are no longer required and when information asset users are terminated transferred, or information assets usage or need-to-know/need-to-share changes. - Deactivate temporary accounts that are no longer required and accounts of terminated or transferred users. - Grant access to the system based on (1) valid access authorization, (2) intended system usage, and (3) other attributes as required by the organization or associated missions/business functions. - Review accounts on a periodic basis or at least annually.
Access Enforcement: All Ken 7 Windows Limited Business Systems must enforce approved authorizations for logical access to the system in accordance with applicable policy.
Information Flow Enforcement: All Ken 7 Windows Limited Business Systems must enforce approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
Separation of Duties: All Ken 7 Windows Limited Business Systems must: - Separates duties of individuals as necessary, to prevent malevolent activity without collusion. - Document separation of duties.
- Implements separation of duties...
Please join StudyMode to read the full document