Managing Access Control Standards

Access control standards are the rules which an organisation applies in order to control access to its information assets. Such standards should always be appropriate to the organisation's business and security needs. The dangers of using inadequate access control standards range from inconvenience to critical loss or corruption of data.

See also Classifying Information and Data to assess information for its sensitivity levels.

To view the related Policy click      

 

  • The lack of uniform standards controlling the access to information and systems can lead to disparities and weaknesses, which could be exploited for malicious or other reasons.

  • Analyse your information classification needs, and formulate an access control policy. Develop appropriate and uniform access control standards.
  • Ensure your access control standards set out the following :-
  1. the sensitivity level of the data being processed by each business system and its appropriate level of access control.
  2. the dissemination / circulation of information stored by specific systems (which should be in accordance with your Policy on information dissemination).
  3. the consistency of user profiles across applications and their underlying operating systems.
  4. the requirements for compliance with legal and regulatory controls. See Complying with Legal and Policy Requirements.
  • Where access control is not modified in response to the enhanced sensitivity of processed information, the risk of a breach to its confidentiality will increase - perhaps substantially.

  • Analyse the sensitivity of information at each stage of processing, and apply the appropriate level of access control to each.

  • Access control standards which are too tight or inflexible can impede the organisation's day-to-day activities and frustrate staff.

  • Confirm that specified access controls are implemented by initiating a regular audit.
  • Where the flow of work is impeded, re-analyse the sensitivity classification applied.
  • Consider implementing a rapid response to access requests with authorisations by (say) e-mail to allow for unexpected changes in business processing. (NB: such requests should not circumvent the agreed process.)

Previous PageTop of this pageNext Page


Information Security Policies from US$595

 From
 US$595

Use of the guidance contained within RUSecure™ is subject to the End User Licence Agreement
This site created with EasyHTMLHelp(tm) for MS Word

 

Next PageUpPrevious Page