We develop a company access control policy, aimed at both physical access to the structure and logical accesses relating to computers, databases and the company information system. Let’s design a list of rules
For the easy elaboration of the policies and of a specific security procedure of the access control provided by the information security management system, we suggest you to proceed expeditiously based on the practical examples that we have illustrated below.
The development of security policies for access control based on Annex A
Build access control policies based on the following five points
1.Introduce the concept of access control: everyone needs to understand what it is
certain people can access the places where they are kept and treated, whether they are physical places (reserved areas, safes, archives, etc.) or logical ones (hard disk, database, etc.).
2. Explain how access control will be implemented
Access to the organization’s work areas and access to the network and network services are controlled so that only those who have been expressly authorized by top management (and controlled by the system administrator) can access the critical information dealt with in the processes or in any case held for any reason (legitimate) by the organization itself.
3. Define the access control application criteria
The personnel working in the primary (operational) processes must access only the physical areas in which information relating to the primary processes is processed and can access, via the computer network, only those network areas (folders / directories) that contain information relating to to primary processes.
The personnel employed in the support processes must access only the physical areas in which support activities are carried out and information belonging to this category of processes is processed.
The personnel employed in information security processes, on the other hand, are endowed with greater freedom since, due to their duties, they must be able to intervene both physically and electronically in areas where information is processed regardless of the processes to which it belongs.
The organization has established that only those who have been expressly authorized can access critical information processed in the processes or otherwise held in any capacity (legitimate) by the organization itself.
4. Establish individual access control applications for information security
In order to protect information, the organization has identified “access controls” provided for:
- Access to the company headquarters
- Access to individual offices (restricted areas)
- Access to devices to be used to manage information (computer)
- Access to the company information system
- Access to paper archives
- Access to the server room (where the servers are kept)
- Access to databases that hold security information (e.g. databases of passwords or cryptographic keys)
5. Establish a rule of conduct for people
These controls, in accordance with the provisions of point 9 of Appendix A (Annex A) of the ISO / IEC 27001: 2017 Standard, require that the authorized person:
- Identify yourself at the time of access
- You prove that you are really the person who has been granted the right of access
- You have permissions to access only certain information
- You have permissions to only perform certain operations on certain information
- Be aware of how to manage access securely
The development of the access control procedure based on Annex A
The access control procedure of the information security management system that must be applied within the company must necessarily discipline and document the implementation of the following security controls through a well-structured index. The example can be a starting point:
access control applications understood in a physical sense, defining and identifying the security assets in charge of it that must be documented in the asset inventory. They, for example, are the following:
- Safe
- Building A
- Server room
- Marketing office
- Design office
- Administration office
- Production office
- Security office
- Senior management office
- Reception
- Administration paper archive
- Marketing paper archive
- Top management paper archive
- Paper production archive
- Meeting room
- Employees’ homes accredited for teleworking
- Rooms that contain plant control panels
Similarly, the company will document all assets to which you will have access only through the authentication security check. Such, for example, could be:
- Process file
- Support file
- Security file
- Test data
- Statistical analysis software
- Informative system
- Provider x
- Cloud x
- Lan (local area network)
- Email server
- Central server
- Disc design
- Production disc
- Support disc
- Security disc
- Router
- Switch
- Access point
- Cabling system
- Internal telephone
- Computer
- Smartphone
- Tablet
- Database
- Repository that holds the source code of the software
- Proxy
- Cloud
- Firewall
- Vpn
- Antivirus
- Log management software
- Backup software
- Encryption software
- Access control software
Provisioning of user access
The attribution to persons of access rights to the corporate information system must be governed by a process managed by top management and performed by the system administrator.
Upon hiring, the person hired for a specific role must be assigned access rights by the senior management by formal registration of these rights within the software that manages them.
For each role and in relation to each type of information, it must be indicated which operations are allowed to the user according to the following example which must be documented in each of the procedures governing the operational processes: requirements, design, outsourcing, etc. .
The example below explains how, in the Requirements process, access to the documents used in the activities to be performed was regulated. Not all people in the organization can access the documents indicated, but only those who play a role relevant to the nature of the information content.
For the application of access control is governed by processes. In correspondence with each phase, the confidential documents and the roles that, in relation to their activities, have the relative permissions to read, write, modify, delete and transfer are indicated.
