Scribd
Upload
4K views6 pages

Access Control Policy Template

This document outlines an access control policy for an organization. It defines requirements for managing access to computer systems, networks, facilities, and data. The policy adheres to principles of least privilege and separation of duties. It requires approval for all access and regular reviews of access privileges. Procedures are defined for provisioning, changing, and terminating access for both internal users and third parties.

Uploaded by

Nicky Elizardy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4K views6 pages

Access Control Policy Template

This document outlines an access control policy for an organization. It defines requirements for managing access to computer systems, networks, facilities, and data. The policy adheres to principles of least privilege and separation of duties. It requires approval for all access and regular reviews of access privileges. Procedures are defined for provisioning, changing, and terminating access for both internal users and third parties.

Uploaded by

Nicky Elizardy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Information Security Policies

Access Control Policy


Policy # IS-XX Effective Date 20XX-XX-XX Email [Contact E-mail Address]
Version 1.X Contact [Name] Phone (xxx) xxx-xxxx

Table of Contents
1.0 PURPOSE............................................................................................................................................. 1
1.1 SCOPE.................................................................................................................................................. 1
1.2 POLICY.................................................................................................................................................. 1
1.2.1 Access Control.............................................................................................................................
1.2.2 Third-Party Access.......................................................................................................................
1.2.3 Access Review.............................................................................................................................
1.3 PROCEDURES...................................................................................................................................... 3
1.3.1 Provisioning New Access to Computer/Network Systems............................................................
1.3.2 Provisioning New Access to Third-Party Vendors and/or Business Partners...............................
1.3.3 Changing Access to Computer/Network Systems for a Workforce Member................................
1.3.4 Changing Access to Computer/Network Systems for Third-Party Vendors or Business
Partners....................................................................................................................................
1.3.5 Terminating Access to Computer/Network Systems....................................................................
1.3.6 Provisioning Access for External Systems Connecting Directly to the Internal Network..............
1.4 VIOLATIONS......................................................................................................................................... 4
1.5 REFERENCES...................................................................................................................................... 4
1.6 RELATED DOCUMENTS...................................................................................................................... 4
1.7 APPROVAL AND OWNERSHIP............................................................................................................ 4
1.8 REVISION HISTORY............................................................................................................................. 4
1.9 SOC 2 MAPPING................................................................................................................................... 5
AUTHORIZATION REQUEST FORM.......................................................................................................... 6

1.0 PURPOSE

This policy will define the requirements for the management (addition, change, and/or removal) of access
to [Company] data, systems, facilities, and networks.

1.1 SCOPE

This policy applies to all [Company] computer systems and facilities, with a target audience of [Company]
Information Technology employees and partners.

Policy # IS-XX CONFIDENTIAL Page 1


1.2 POLICY

1.2.1 Access Control

Principle of Least Privilege – [Company] adheres to the principle of least privilege, specifying that users
of [Company] systems will be given access to only the information and resources necessary to perform
their job functions as determined by Senior Management, the Security Officer, Supervisor/Department
Manager, or designee and in accordance with the [Company] Mission, State and Federal regulations, and
accreditation requirements.
Documentation Responsibilities – The Security Officer or designee shall document the physical and
logical access control rules, rights, and roles for each user or group of users for each system in operation.
Access Approval – Users needing access to resources must be approved by Senior Management and
must have submitted a User Access Request form outlining the physical and logical access required to
perform their job duties. The level of access required to each system, facility, or network will be
determined on a per-user basis.
User Accounts – Users of [Company] systems will be provided a unique user ID that can be used to
trace activities to the individual responsible for that account. Generic user accounts shall only be utilized
in circumstances where there is a clear business benefit when user functions do not need to be traced
when additional accountability controls are implemented, and only after approval by the Security Officer or
designee.
Administrator Accounts – Users performing privileged functions, such as system administrators, shall
utilize a separate account that is different from their standard user account.
Access Acknowledgement – Each user is required to acknowledge, in writing, that they understand the
level of access they are receiving, the security measures in place to protect the information and system(s)
to which they have access, and that they understand the business requirements to be met by
[Company]’s access controls prior to gaining access to resources.
Changes to Access – Changes to access level(s) such as in the case of promotion, demotion,
termination, or change in job duties, shall be formally documented and approved by the appropriate
Management representative. The IT Department is to be notified when users are terminated or transferred
if their privileges change, or when accounts are no longer required and user access rights shall be
reviewed and reallocated as necessary prior to changes being made.

1.2.2 Third-Party Access

Third-Party Vendor Access – Third-party vendors requiring access to [Company] systems are required
to adhere to all policies and user accounts provisioned to third-party users shall be disabled or
deactivated when not in use.
Guest Account Authorization – Guest/anonymous, shared/group, emergency, and temporary accounts
are specifically authorized, and use is monitored by the Security Officer or their designee.
Third-Party Connectivity – Any third-party needing interconnectivity with [Company]’s systems must be
formally approved by Management and participate in the full vendor management process (see Vendor
Management Policy). All connections to external parties will be documented and formal agreements in
place documenting the interface characteristics, security requirements, and the nature of the information
being communicated. Upon establishing a new connection, the network diagram shall be updated.

Policy # IS-XX CONFIDENTIAL Page 2


1.2.3 Access Review

Review of Accounts Used in Applications and Middleware – [Company] must annually review the
privileges of special accounts used for production applications or middleware.
Reauthorization of User Access Privileges – The system privileges granted to every user must be
reevaluated by the Security Officer quarterly to determine whether currently-enabled system privileges
are needed to perform the user’s current job duties.

1.3 PROCEDURES
1.3.1 Provisioning New Access to Computer/Network Systems

 Supervisor or Direct Supervisor shall fill out and submit the User Account Request Form to the IT
Department.
 Workforce members shall sign and acknowledge their understanding of their access levels.
 Security Officer or designee will establish access and provide users with a one-time use password
for initial access which will be required to be changed upon the user’s first login.

1.3.2 Provisioning New Access to Third-Party Vendors and/or Business Partners

 Third-party Vendor/Business Partner’s management or designee shall complete and forward


documentation for the need for access to Security Officer or designee.
 If appropriate, the Security Officer will execute a Business Associate Agreement.
 The third-party or third-party contact will complete and sign the Third-Party Confidentiality
Agreement and/or Business Associate Agreement (if appropriate) and forward the completed form
to the Security Officer or designee.
 A User Access Request Form shall be completed.
 The Security Officer or designee will establish access and provide users with a one-time use
password for initial access which will be required to be changed upon the user’s first login.

1.3.3 Changing Access to Computer/Network Systems for a Workforce Member

 An appropriate management representative shall complete and submit a User Access Request
Form to the Security Officer or designee specifying the access changes that need to be made.
 The Security Officer or designee will update the user’s access acknowledgment and have them re-
sign if needed.
 The Security Officer or designee will make the appropriate access changes to the user’s account.

1.3.4 Changing Access to Computer/Network Systems for Third-Party Vendors or Business


Partners

 An appropriate management representative shall complete and submit a User Access Request
Form to the Security Officer or designee specifying the access changes that need to be made.
 The Security Officer or designee will make the appropriate access changes to the user’s account.

1.3.5 Terminating Access to Computer/Network Systems

 An appropriate management representative shall complete and submit a User Access Request
Form to the Security Officer or designee specifying the removal of all access.

Policy # IS-XX CONFIDENTIAL Page 3


 The Security Officer or designee will terminate access (including facility access).

1.3.6 Provisioning Access for External Systems Connecting Directly to the Internal Network

 Complete the full vendor management onboarding process as defined in the Vendor
Management Policy.
 Complete any user access forms required by this policy.
 Complete user security awareness training, as applicable.
 Be monitored on an on-going basis for adherence to security requirements and any other specific
requirements defined in formal agreements.

1.4 VIOLATIONS

Any violation of this policy may result in disciplinary action, up to and including termination of
employment. [Company] reserves the right to notify the appropriate law enforcement authorities of any
unlawful activity and to cooperate in any investigation of such activity. [Company] does not consider
conduct in violation of this policy to be within an employee’s or partner’s course and scope of
employment, or the direct consequence of the discharge of the employee’s or partner’s duties.
Accordingly, to the extent permitted by law, [Company] reserves the right not to defend or pay any
damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation
of this policy must provide a written or verbal complaint to his or her manager, any other manager or the
Human Resources Department as soon as possible.

1.5 REFERENCES

1.6 RELATED DOCUMENTS

1.7 APPROVAL AND OWNERSHIP

Created By Title Date Signature

Approved By Title Date Signature

1.8 REVISION HISTORY

Revision Reviewer/Approver
Version Description Review Date
Date Name
1.0 Initial Version

Policy # IS-XX CONFIDENTIAL Page 4


1.9 SOC 2 MAPPING

Criteria # Criteria Points of Focus Summary

CC6.1 The entity implements logical access Logical access controls covering the
security software, infrastructure, and following:
architectures over protected information  identifies and manages inventory of
assets to protect them from security events information assets
to meet the entity's objectives.  restricts logical access to info assets,
software, mobile devices, offline
systems
 identifies and authenticates users
 considers network segmentation
 manages Points of Access
 manages credentials for infrastructure
and software - uses encryption to
protect data (at-rest, and other)
 Protects encryption keys (generation,
storage, use, destruction)
CC6.2 Prior to issuing system credentials and Provisioning and de-provisioning users
granting system access, the entity registers access to protected assets.
and authorizes new internal and external An internal review of the appropriateness
users whose access is administered by the of access credentials.
entity. For those users whose access is
administered by the entity, user system
credentials are removed when user access
is no longer authorized.
CC6.3 The entity authorizes, modifies, or removes The entity authorizes, modifies, or revokes
access to data, software, functions, and logical access to protected information
other protected information assets based on assets based using role-based access
roles, responsibilities, or the system design controls and the principle of least privilege.
and changes, giving consideration to the
concepts of least privilege and segregation
of duties, to meet the entity’s objectives.

Policy # IS-XX CONFIDENTIAL Page 5


Authorization Request Form
PART I (To be filled out by the Requestor or Requestor’s Supervisor)

1. Type of Request: 2. Office:


□ Initial □ Modification □ Deletion
3. Name (Last, First, MI): 4. Title:

5. Organization: 6. Phone Number: 7. Start Date: 8. Termination Date:

9. Requestor’s Signature: 10. Date:

PART II (To be filled out by the Requestor's Supervisor)

11. Role (Must use a role defined in Appendix Q):

□ Basic User □ System Administrator □ Support □ Key Custodian


□ Manager □ Security Administrator □ Developer □ Other
12. ID Badge: 13. Equipment Assigned and Miscellaneous Access:

□ Visitor □ Building □ Workstation □ E-mail Use □ Modem Use


□ Internal Doors □ Datacenter □ Laptop □ Internet Use □ Wireless Use
□ Key Fob □ VPN Access □ Removable Media
14. Justification for Access:

15. Supervising Official Certification:

Name Phone Signature Date

_______________________________

PART III (To be completed by the Human Resources Department)


16. Background Check Completed: 17. Performed By: 18. Date Granted:

□ Yes □ No
19. Human Resources Official Certification:

Name Phone Signature Date

_______________________________

PART IV (To be completed by Information Technology Department)


20. User ID: 21. Date User Notified: 22. Date Deleted:

23. Information Technology Department Official Certification:

Name Phone Signature Date

_______________________________

Policy # IS-XX CONFIDENTIAL Page 6

You might also like