S 2.220 Guidelines for access control
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Specialists Responsible, Administrator
In order to be able to use IT systems and/or system components and networks and to be able to retrieve the information stored on them, access control procedures must be specified. As well as the access controls relating to the individual IT components which have to be set up there should be organisation-wide guidelines on the basic issues. The access control procedures must reflect the protection requirements of the government agency or company. In particular it is important to remember that pertinent legislation, regulations and procedures, i.e. for example, the data privacy protection and copyright legislation and licence provisions, must be adhered to.
It is recommended that standard rights profiles are established for persons entitled to use IT systems etc. by virtue of their functions and tasks (see also S 2.8 Assignment of access rights). User rights for access to files and programs must be defined as a function of the role involved, need-to-know and the sensitivity of the data. Any granting of non-standard rights must be justified.
The guidelines covering access control should be issued to all those with responsibility for IT applications. These can then be used to derive and set up access rules for particular IT systems.
For every individual IT system and every IT application there should be written access rules and the users that have been configured and the rights they have been assigned should be documented (see S 2.30 Provisions governing the configuration of users and of user groups). The system and application-specific peculiarities and security requirements must be considered here. Those with responsibility for IT assets are responsible for creating and updating the system- and/or application-specific requirements.
If any particularly extensive rights are granted to employees (e.g. to administrators), this should be as restrictive as possible. On the one hand the group of privileged users should be kept as small as possible while on the other hand only rights that are actually necessary for a person to perform his assigned tasks should be issued (see also S 2.38 Division of administrator roles). For all tasks which can be carried out without extended rights, even privileged users should work under accounts with standard rights.
Access to all IT systems or services must be protected through identification and authentication of the user or IT system seeking access. Strong authentication procedures, for example, the use of one-time passwords or the possession of smart cards should be used to control access from external networks.
No information should be displayed about the IT system or progress of the logon procedure until logon has been successfully completed. It should be displayed that access is allowed only to authorised users. The authentication data must only be checked after it has been entered in full. Other requirements relating to the authentication mechanisms can be found in S 4.133 Appropriate choice of authentication mechanisms.
Review questions:
- Do rules for access control that are appropriate for the organisation's protection requirements exist?
- Do standard rights profiles that correspond to the functions and tasks of the users exist?
- Do written access rules exist and are the users that have been configured and the rights they have been assigned documented?
- Is access to all IT systems or services protected through identification and authentication of the users or IT system seeking access?
- Is authentication data only checked after it has been entered in full?