S 2.7 Granting of (system/network) access authorisations

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT, Information Security Management

Access authorisations allow the person to whom the rights are granted or an authorised representative of this person to use certain IT systems and/or system components and networks. Access authorisations should be granted as restrictively as possible. Access authorisations are to be defined individually for each person with such rights according to his/her function while taking the principle of separation of functions into account (see S 2.5 Division of responsibilities and separation of functions). Access to the computers must be defined based on the function performed by the person, for example access to the operating system (system administrators) or access to an IT application (users). In addition, it must be ensured that personnel changes and changes relating to the tasks are immediately taken into account.

Access to the IT systems or IT applications should only be possible for authorised users after providing identification (e.g. a user name, user ID, or a chip card) and performing authentication (e.g. using a password or an authentication token) and all accesses must be logged.

The processes of granting and revoking access resources such as user IDs or chip cards must be documented. Regulations regarding the handling of access and authentication resources (e.g. regulations on handling chip cards or password usage, see S 2.11 Provisions governing the use of passwords) must be made as well. All persons having the right to access the system or network must be instructed as to how to properly handle access resources.

If authorised users are absent for a longer period of time, e.g. because of a holiday or an illness, their access authorisations should be locked temporarily to prevent any misuse. This should at least be done for all people possessing wide-ranging authorisations such as administrators.

It is necessary to sporadically check whether the mentioned regulations are being followed properly.

Review questions:

• Is there an up-to-date documentation of the access authorisations granted and revoked, as well as of the access resources?
• Are system and network access authorisations granted based on the functions performed by the person with the access authorisation?
• Were the people who have been granted access instructed in the proper handling of access resources?
• Are access authorisations locked temporarily in the event of longer periods of absence of authorised persons?