That could include system by system clarity on privileged access rights (which can be managed inside the application) allocation on a need-to-use basis not a blanket approach A process and record of all privileges allocated should be maintained (alongside the information asset inventory or as part of the A.9 evidence and the competence of users granted the rights must be reviewed regularly to align with their duties. It should align with the formal authorisation processes alongside the access control policy. For example the ability to delete work or fundamentally affect the integrity of the information. The allocation and use of privileged access rights has to be tightly controlled given the extra rights usually conveyed over information assets and the systems controlling them. systems administration permissions versus normal user rights. Access control rules should be supported by formal procedures and defined responsibilities Īccess control needs to be reviewed based on change in roles and in particular during exit, to align with Annex A.7 Human Resource Security.Ī.9.2.3 Management of Privileged Access RightsĪ.9.2.3 is about managing usually more powerful and higher ‘privileged’ levels of access e.g.by regular internal audits in line with requirement 9.2. super users/administrators controls) and periodic reviews (e.g. Management of the access rights and privileged access rights (more power – see below) including adding, in life changes (e.g.Clarify who needs to access, know, who needs to use the information – supported by documented procedures and responsibilities.Security requirements of business applications and align with the information classification scheme in use as per A.8 Asset Management.
permission restrictions on user accounts as well as limitations on who can access certain physical locations (aligned with Annex A.11 Physical and Environment Security). Put simply access control is about who needs to know, who needs to use and how much they get access to.Īccess controls can be digital and physical in nature, e.g. An access control policy must be established, documented and reviewed regularly taking into account the requirements of the business for the assets in scope.Īccess control rules, rights and restrictions along with the depth of the controls used should reflect the information security risks around the information and the organisation’s appetite for managing them.
0 kommentar(er)
