Good management of user access to information systems allows you to implement tight security controls and to identify breaches of Access Control standards.

• Lack of a managed access control procedure can result in unauthorised access to information systems thereby compromising confidentiality and potentially the integrity of the data.

• Develop a formalised procedure for controlling and documenting the allocation of access rights to information and systems.
• Document user access profiles from initial access rights, as a new user, through to de-registration, when the user leaves the organisation or changes jobs etc.

• Logon screens or banners which supply information about the system prior to successful logon, can assist unauthorised users to gain access. See also Legal Safeguards against Computer Misuse.

• Logon screens should only present details of a system after an authorised user has successfully logged on.
• Where possible, successful logons should display the following information for verification by the user :-

1. Date and time of previous logon.
2. Details of any failed logon attempts.

• Where regulation and documentation of Access Control has been informal, this can frustrate the re-allocation of duties because there are no records of current access rights and privileges.

• At the very minimum, hold the following records for User Access profiles:-

0. Unique User ID to permit users' actions to be linked to named individuals.
1. The specific business applications to which access is granted.
2. Written statement signed by the user agreeing to the access rights and conditions.
3. Formal authorisation from management.

• Formal access management procedures should include the following:-

1. Formal records maintained and distributed to management for periodic reviews of access rights.
2. Change control mechanism for staff who change jobs within the organisation, and for those who leave the organisation.
3. Mechanism for identifying redundant accounts and removing them as appropriate.
4. Formal authorisation process to issue an account to individual users.
5. Change control mechanism for rapid response authorisation of a change in access rights.
6. Privilege management to ensure that a user is allocated the correct range of system privileges for the job in question.

• Allocating inappropriate privileges to inexperienced staff can result in accidental errors and processing problems.

• Identify the category of staff who should have access to privileged accounts and / or functions.
• Allocate the highest system privileges only according to specific need, not as a matter of course.
• Certain functions, e.g. database re-structure / re-sequence, must not be allocated to anyone on a full-time basis, as the impact of errors is grave. Allocate such functions, but then withdraw them immediately after use.
• Allocate privileges to network and / or application software accounts on an 'as needs' basis. The account name should not indicate its associated privilege.