ACCESS CONTROL POLICY
ACCESS CONTROL POLICY

As explained in this CyberKach article here, cybersecurity policies are high-level governance document defined and documented by the IT / cyber team leadership to provide guidelines to employees on acceptable conducts to ensure the confidentiality, integrity and availability of the organisation's information systems, network infrastructure and data. It's been established, therefore, that management needs to communicate acceptable standards to employees through cybersecurity policies.

The Access Control Policy is the policy which provides guidelines on how access is managed within an organisation and defines standards by which access is granted to users for the organisation's resources. The Access Control Policy is management's means of defining how employees may gain physical and logical access to information and how much of such information they may be granted.

An organisation must document an Access Control Policy if they understand the concept of confidentiality, integrity and availability and if they have information they consider important.

 It's also worthy of note that Access Control Policies apply to all employees in the organisation.

Coming up with Access Control Guidelines

Considering the objectives of Access Control Policy, organisations must come up with policy guidelines based on the following considerations:

  • The IT assets they own: As expected, organisations will decide access rights based on the assets in their IT environment. For example, an organisation may decide to configure the data centre biometric scanner to only allow access to certain individuals in the IT team. This guideline will be documented in the Access Control Policy clearly stating the roles of the individuals to be granted access to the data centre.
  • Employees segregation of duties matrix: Segregation of duties is an important control that ensures employees focus only on certain aspects of business functions and that the risk of fraud is lowered. The segregation of duties matrix is a simple summary document which shows different roles in the organisation and what specific activities they perform in the cause of the business operations chain. This matrix may be leveraged to determine which personnel require access to different information resources
  • Principle of Least Privilege: The principle of least privilege roughly translates to "Give every user the lowest possible access/privilege they require to perform their official duties". Therefore, a banking professional responsible for raising cheques (on the CoreBanking application) for his manager to approve does not require (and should not get) the access to approve cheques on the banking application.

Sample Access Control Policy Guidelines

The following are sample guidelines which may be found in the Access Control Policy defined by a new-generation bank:

  • "Third-party access to Bank applications shall be subject to management approval, based on the principle of least privilege and have a fixed termination date which shall be configured on the system."
  • "Activities of privileged users on the Bank's IT infrastructure shall be logged and reviewed quarterly."
  • "Employees shall be granted access to network resources with due consideration for the requirements of their job descriptions. Ad-hoc access requests shall only be granted on management approval"

It's important that organisations diligently define their Access Control Policy as this would help them ensure better confidentiality, integrity and availability of their information and information systems.