S 2.6 Granting of site access authorisations

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of Organisation, Building Services Manager

Before granting site access authorisations to persons, the rooms in the building requiring protection must be defined, e.g. offices, data media archive, server room, operating room, machine hall, document archive, and computer centre. The protection requirements of a room are derived from the protection requirements of the information processed in the particular room, the IT systems located in the room, and the data media stored and used in this room.

Afterwards, it must be specified who needs which site access rights for the respective function performed. In this, the separation of functions defined previously (S 2.5 Division of responsibilities and separation of functions) must be taken into consideration. The granting of unnecessary site access rights must be avoided.

In order to the keep the number of people allowed to access a room to a minimum, the principle of separation of functions should be taken into consideration. For example, storing IT replacement parts and data media in separate rooms prevents unauthorised access to the data media by maintenance technicians.

Granting and revoking site access authorisations must be documented. When a site access authorisation is revoked, it must be guaranteed that the resources used to access the site have been returned. In addition, any conflicts arising while granting the site access authorisations to the corresponding people must be documented. Possible reasons for conflicts may be present because someone performs functions in contradiction with the principle of separation of functions in terms of site access authorisations, or due to spatial requirements.

People (gatekeepers, security service personnel) or technical equipment (ID card readers, biometric methods such as iris scanners or fingerprints, security locks on doors and/or locking systems) may be used to monitor the site access authorisations (see S 2.14 Key management). Unauthorised personnel (e.g. visitors, cleaning crews, and maintenance personnel) must only access rooms requiring protection in the presence of or when accompanied by someone with proper site access authorisation.

Regulations for external personnel and visitors regarding granting and revoking their site access authorisations must be created as well.

Review questions:

• Has it been defined which site access rights have been granted to which people when fulfilling their functions?
• Is the documentation of the site access authorisations up-to-date and complete in terms of rooms requiring protection?