Access Control Policy

Access Control systems are in place to protect the interests of all users of Company Name computer
systems by providing a safe, secure and readily accessible environment in which to work.
Company Name will provide all employees and other users with the information they need to carry out their
responsibilities in as effective and efficient manner as possible.
Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances
if sufficient other controls on access are in place.
The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access)
shall be restricted and controlled, and authorization provided jointly by the system owner and IT Services.
Technical teams shall guard against issuing privilege rights to entire teams to prevent loss of confidentiality.
Access rights will be accorded following the principles of least privilege and need to know.
Every user should attempt to maintain the security of data at its classified level even if technical security
mechanisms fail or are absent.
Users electing to place information on digital media or storage devices or maintaining a separate database
must only do so where such an action is in accord with the data’s classification
Users are obligated to report instances of non-compliance to the Company Name CISO
Access to Company Name IT resources and services will be given through the provision of a unique Active
Directory account and complex password.
No access to any Company Name IT resources and services will be provided without prior authentication
and authorization of a user’s Company Name Windows Active Directory account.
Password issuing, strength requirements, changing and control will be managed through formal processes.
Password length, complexity and expiration times will be controlled through Windows Active Directory Group
Policy Objects.
Access to Confidential, Restricted and Protected information will be limited to Authorised persons whose job
responsibilities require it, as determined by the data owner or their designated representative. Requests for
access permission to be granted, changed or revoked must be made in writing.
Users are expected to become familiar with and abide by Company Name policies, standards and guidelines
for appropriate and acceptable usage of the networks and systems.
Access for remote users shall be subject to authorization by IT Services and be provided in accordance with
the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be
permitted to any network device or networked system.
Access to data is variously and appropriately controlled according to the data classification levels described
in the Information Security Management Policy.
Access control methods include logon access rights, Windows share and NTFS permissions, user account
privileges, server and workstation access rights, firewall permissions, IIS intranet/extranet authentication
rights, SQL database rights, isolated networks and other methods as necessary.
A formal process shall be conducted at regular intervals by system owners and data owners in conjunction
with IT Services to review users’ access rights. The review shall be logged and IT Services shall sign off the
review to give authority for users’ continued access rights

Ver 1.0