S 2.31 Documentation of authorised users and rights profiles

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Documentation of the authorised users, user groups created, and rights profiles on the IT system must be produced. There are various ways to produce this documentation, for example using the following:

• default administration files of the system
• individual files managed by the corresponding administrator
• paper form

A suitable form should be selected and applied uniformly to the entire organisation, if possible.

In particular, the following information relating to the rights granted to users and user groups should be documented:

Authorised users:

• the rights profile assigned to the user (including any deviations from the standard rights profile used)
• reasons for selecting the corresponding rights profile (and possibly for the deviations as well)
• the name of the organisational unit to which the user belongs including the room number and telephone number
• time at which the user was set up and the reasons for setting up this user
• time and date of expiration of the user account

Authorised user groups:

• users in the group
• time at which the user was set up and the reasons for setting up this user
• time and date of expiration of the user account

The documentation of authorised users and rights profiles should be examined regularly (at least every 6 months) to see if the documentation reflects the rights actually assigned to the users and profiles and if the rights granted still meet the security requirements and are appropriate for the current tasks of the corresponding users. Complete documentation is necessary to be able to monitor the rights granted to the users and user groups.

The documentation must be stored or kept safe so that it is protected against unauthorised access and so that it can still be accessed in case of a large-scale security incident or IT failure. If the documentation is made available in electronic form, then this documentation must be integrated into the data backup procedure.

Review questions:

• Are the authorised users, user groups created, and rights profiles documented?
• Is the documentation of the authorised users, user groups created and rights profiles checked regularly to ensure they are up-to-date?
• Is the documentation of the authorised users, user groups, and rights profiles protected against unauthorised access?
• Is the documentation of the authorised users, user groups, and rights profiles - if it is made available in electronic form - included in the data backup method?