www.informationshield.

com

Information Security Policies

Access Control Policy
Policy # Effective Date MM/DD/YYYY Email [email protected]
Version 1.0 Contact Policy Contact Phone 888.123.4567

Table of Contents
Table of Contents......................................................................................................................... 1
Purpose....................................................................................................................................... 1
Scope.......................................................................................................................................... 1
Policy........................................................................................................................................... 1
Access Control System.........................................................................................................1
Authorization......................................................................................................................... 2
Access and Privilege Assignment.........................................................................................3
System Privileges................................................................................................................. 4
Records................................................................................................................................ 4
Access Review..................................................................................................................... 4
Violations..................................................................................................................................... 5
Definitions.................................................................................................................................... 5
References.................................................................................................................................. 5
Related Documents..................................................................................................................... 6
Approval and Ownership.............................................................................................................6
Revision History........................................................................................................................... 6

PURPOSE
This policy defines the control requirements surrounding the management of access to
information on Company X computer and communications systems.

SCOPE
This policy applies to all Company X computer systems and facilities, with a target audience of
Company X Information Technology employees and partners.

POLICY
Access Control System
Access Control System – User ID Creation Date - Access control systems must be
configured to capture and maintain the creation date for every user ID.
Access Control System – Last Logon Date - Access control systems must be configured
to capture and maintain the date and time of the last logon for every user ID.
Access Control System – Last Logoff Date - Access control systems must be configured
to capture and maintain the date and time of the last logoff for every user ID.
Access Control System – Password Change Date - Access control systems must be

Policy # CONFIDENTIAL Page 1

 configured to capture and maintain the date and time of the last password change for every
user ID.
Access Control System – User ID Expiration Date - Access control systems must be
configured to capture and maintain an expiration date or every user ID that represents the
last date that the user ID is active for use.
Malfunctioning Access Control - If a computer or network access control system is not
functioning properly, it must default to denial of privileges to end-users.
Special Privileged Users - All multi-user computer and network systems must support a
special type of user ID, which has broadly-defined system privileges that will enable
authorized individuals to change the security state of systems.
Operating System User Authentication - Developers must not construct or install other
mechanisms to identify or authenticate the identity of users without the advance permission
of Company X management.
Access Control System Modification - The functionality of all access control systems
must not be altered, overridden or bypassed via the introduction of additional code or
instructions.
Password Generation Algorithms - All software and files containing formulas, algorithms,
and other specifics used in the process of generating passwords or Personal Identification
Numbers must be controlled with the most stringent security measures supported by the
involved computer system.
Password Retrieval - Computer and communication systems must be designed, tested,
and controlled so as to prevent both the retrieval of, and unauthorized use of stored
passwords, whether the passwords appear in encrypted or unencrypted form.
Access Control Information In Cookies - Company X information systems must never
store any access control information in cookies deposited on, or stored on, end-user
computers.
System Capabilities And Commands - End users must be presented with only the system
capabilities and commands that they have privileges to perform.

Authorization
Sensitive Or Valuable Information Access - Access to Company X sensitive information
must be provided only after express management authorization has been obtained.
Granting Access To Organization Information - Access to Company X information must
always be authorized by a designated owner of such information, and must be limited on a
need-to-know basis to a reasonably restricted number of people.
Information System Privilege Usage - Every information system privilege that has not
been specifically permitted by the Company X management must not be employed for any
Company X business purpose until approved in writing.
Granting System Privileges - Computer and communication system privileges must be
granted only by a clear chain of authority delegation.
User ID And Privilege Approval - Whenever user IDs, business application system
privileges, or system privileges involve capabilities that go beyond those routinely granted to
general users, they must be approved in advance by the user’s immediate supervisor and
Company X management.

Policy # CONFIDENTIAL Page 2

 Owner Approval for Privileges - Prior to being granted to users, business application
system privileges must be approved by the applicable information owner.
System Access Request Authorization - All requests for additional privileges on Company
X multi-user systems or networks must be submitted on a completed system access request
form that is authorized by the user’s immediate manager.
Default User Privileges - Without specific written approval from management,
administrators must not grant any privileges, beyond electronic mail and word processing, to
any user.
Computer Access Training - All Company X users must complete an approved information
security training class before they are granted access to any Company X computer systems.

Access and Privilege Assignment

Production Programs And Information Access - Access controls to production programs
and information must be configured such that production programs and information systems
software support personnel are not granted access privileges except for problem resolution.
Operations Personnel Information Access - Access controls to production programs and
information must be such that computer operations personnel are restricted from modifying
systems software, application software, and production information.
Privilege Restriction — Need To Know - The computer and communications system
privileges of all users, systems, and programs must be restricted based on the need to
know.
User IDs Employed In Abusive Activity - All access privileges for a user ID shown to be
engaged in abusive or criminal activity must be immediately revoked.
Developer Access To Production Business Information - Where access to production
business information is required so that new or modified business application systems may
be developed or tested, only “read” and “copy” access must be granted on production
machines. This access is permitted only for the duration of the testing and related
development efforts, and must be promptly revoked upon the successful completion of these
efforts.
Secret Information Access - Access to sensitive information must be granted only to
specific individuals, not groups of individuals.
Production Application Information Access - Business application software development
staff must not be permitted to access production information. An exception will be made in
the case of production information relevant to the particular application software on which
this staff is currently working.
Personal Information Access - All identifying information about customers such as credit
card numbers, credit references, and social security numbers, must be accessible only to
those Company X personnel who need such access in order to perform their jobs.
Separation Of Activities And Data - Management must define user privileges such that
ordinary users cannot gain access to, or otherwise interfere with, either the individual
activities of, or the private data of other users.
Third Party Software Developers Access To Source Code - Third-party programmers
must not be granted direct access to Company X source code. Only the modules needed for
a specific programming task may be revealed to these programmers. These programmers
must additionally never be given privileges to directly update Company X production source

Policy # CONFIDENTIAL Page 3

 or object code.
Read Access to Sensitive Information - Users who have been authorized to view
information classified at a certain sensitivity level must be permitted to access only the
information at this level and at less sensitive levels.
Role-Based Access Control Privileges - The information systems access privileges of all
users must be defined based on their officially assigned roles within Company X.

System Privileges
Number Of Privileged User IDs - The number of privileged user IDs must be strictly limited
to those individuals who absolutely must have such privileges for authorized business
purposes.
Limiting Special System Privileges - Special system privileges must be restricted to those
directly responsible for system management or security.
Operating System Command Access - End users must not be authorized to invoke
operating system level commands.
Production Programs And Information Access - Access controls to production programs
and information must configured such that application development personnel are not
granted privileges to update systems software, or be granted access to the master copy of
production information except for problem resolution.
Business Production Information Updates - System privileges must be defined so that
non-production staff (internal auditors, information security administrators, programmers,
computer operators, etc.) are not permitted to update production business information.
Number Of Privileged Groups - The number of privileged groups must be strictly limited to
those who absolutely must have such privileges for authorized business purposes.
Production Business Information Privileges - System privileges permitting the
modification of production Company X business information must be restricted to production
applications.

Records
Access Control Privilege Log Retention - Computerized records reflecting the access
privileges of each user of Company X multi-user systems and networks must be securely
maintained for a reasonable period of time.
Production Application System Log Contents - All computer systems running Company
X production application systems must include logs that record additions and changes to the
privileges of users.
User ID Records - Records reflecting all the computer systems on which users have user
IDs must be kept current.

Access Review
Review of Accounts Used in Applications and Middleware - Company X must annually
review the privileges of special accounts used for production applications or middleware.
Reauthorization Of User Access Privileges - The system privileges granted to every user
must be reevaluated by the user’s immediate manager every three months to determine
whether currently-enabled system privileges are needed to perform the user’s current job

Policy # CONFIDENTIAL Page 4

 duties.

VIOLATIONS
Any violation of this policy may result in disciplinary action, up to and including termination of
employment. Company X reserves the right to notify the appropriate law enforcement
authorities of any unlawful activity and to cooperate in any investigation of such activity.
Company X does not consider conduct in violation of this policy to be within an employee’s or
partner’s course and scope of employment, or the direct consequence of the discharge of the
employee’s or partner’s duties. Accordingly, to the extent permitted by law, Company X reserves
the right not to defend or pay any damages awarded against employees or partners that result
from violation of this policy.

Any employee or partner who is requested to undertake an activity which he or she believes is
in violation of this policy, must provide a written or verbal complaint to his or her manager, any
other manager or the Human Resources Department as soon as possible.

DEFINITIONS
Account (User ID or Username) – A unique string of characters assigned to a user by which a
person is identified to a computer system or network. A user commonly must enter both a user
ID and a password as an authentication mechanism during the logon process.
Confidential Information (Sensitive Information) – Any Company X information that is not
publicly known and includes tangible and intangible information in all forms, such as information
that is observed or orally delivered, or is in electronic form, or is written or in other tangible form.
Confidential Information may include, but is not limited to, source code, product designs and
plans, beta and benchmarking results, patent applications, production methods, product
roadmaps, customer lists and information, prospect lists and information, promotional plans,
competitive information, names, salaries, skills, positions, pre-public financial results, product
costs, and pricing, and employee information and lists including organizational charts.
Confidential Information also includes any confidential information received by Company X from
a third party under a non-disclosure agreement.
Partner – Any non-employee of Company X who is contractually bound to provide some form of
service to Company X.
Password – An arbitrary string of characters chosen by a user that is used to authenticate the
user when he attempts to log on, in order to prevent unauthorized access to his account.
System Privileges – Advanced powers or authorities within a computer system, which are
significantly greater than those available to the majority of users. Such persons will include, for
example, the system administrator and network administrator who are responsible for keeping
the system available and may need powers to create new user profiles as well as add to or
amend the access rights of existing users.
User - Any Company X employee or partner who has been authorized to access any Company
X electronic information resource.

REFERENCES
ISO/IEC 27002 – 11 Access Control

Policy # CONFIDENTIAL Page 5

RELATED DOCUMENTS

APPROVAL AND OWNERSHIP

Owner Title Date Signature

Policy Author Title MM/DD/YYYY
Approved By Title Date Signature
Executive Sponsor Title MM/DD/YYYY

REVISION HISTORY

Revision Review Reviewer/Approver

Version Description
Date Date Name
1.0 Initial Version MM/DD/YYYY MM/DD/YYYY

Policy # CONFIDENTIAL Page 6