The institution implements a comprehensive system to control access to technological equipment and devices and software systems.
This includes mechanisms for data access control, endpoint access control, authentication and identification, user privilege management, network access control, password management and logs.
Guideline code
ICT_03900
Mechanism
Mechanism
- In elaborating the comprehensive access control system, the ICT unit should:
- Take into account both the information security structure and the technologies and products used in the institution;
- Establish a unique authentication and identification system based on a robust user account mechanism, covering all the software systems operating in the institution. The user accounts system should be based on roles and profiles and follow the principle of minimum privileges for accounts in all the systems;
- Establish a robust password mechanism by determining rules on password format and encrypting passwords when transmitted over an insecure communication network;
- Establish measures to restrict access to information to users with the appropriate rights on a need-to-know basis. Access rights should be clearly defined and reviewed periodically;
- Establish measures to control the connection of external devices to internal devices by controlling data access to endpoints with portable electronic storage devices and controlling the use of the different ports;
- Establish procedures and mechanisms for access to operating systems based on secure log-on procedures;
- Establish procedures and mechanisms for controlling access to web pages, which may be under a specific authentication and access control system;
- Establish procedures and mechanisms to manage the connection of external information systems to the internal network, based on an authentication procedure and including the requirement for approval from the ICT unit;
- Define policies and establish procedures and mechanisms for the management of activity logs concerning access to information systems, based on business needs and data classification requirements.
Parent
Structure
Structure
- The ICT unit should design and implement a comprehensive access control system.
- The management should define relevant duties and responsibilities concerning the control of access based on the information security management structure.
- The system for the control of access should be based on the institutional information security management framework and the international standard ISO/IEC 27002:2005 Information technology – Security techniques.
Title HTML
Guideline 30. Comprehensive access control system
Type
Guideline_1
Weight
42