The development of an access control policy is a fundamental element in the creation and implementation of a company’s access control system. Proper access control means people can access all the digital and physical resources they need to do their jobs, but they won’t have access to other facets of the business.
An access control policy is the planned operational and strategic foundation of all the best access control systems, and it is also a fundamental managerial responsibility. Each business must decide in advance what data and resources each employee should be able to access.
Here’s an overview of access control policies, why you need them, how to create one, and what to include.
Editor’s Note: Looking for the right access control system for your business? Fill out the questionnaire below to have our supplier partners contact you regarding your needs.
What is an access control policy?
An access control policy documents and specifies the resources that permanent and temporary employees, management, contractors, business partners and customers can access. It also defines when and where such access can take place.
Managers and other leaders plan, document and implement the access control policy through formal procedures. Everyone involved should be aware of the permissions and restrictions in the policy.
An access control policy addresses the following high level concerns:
- Types of access to necessary resources according to roles, responsibilities and objectives
- Access range
- Regulatory compliance considerations for access
- Coordination between organizational departments and their locations
- Types of controls that allow access management and monitoring
This high-level view does not provide the degree of depth and specificity that a good access control policy addresses. For example, the National Institute of Standards and Testing provides the following list of considerations in managing staff member accounts:
- Identification of account types (i.e. individual, group, system, application, guest / anonymous and temporary).
- Establishment of the conditions of membership of the group.
- Identify authorized users of the information system and specify access privileges.
- Require appropriate approvals for account establishment requests.
- Creation, activation, modification, deactivation and deletion of accounts.
- Specifically allow and monitor the use of guest / anonymous and temporary accounts.
- Notify account managers when temporary accounts are no longer needed, when information system users are terminated or transferred, or when their use of the information system or need-to-know / sharing status changes.
- Deactivate temporary accounts that are no longer needed and the accounts of terminated or transferred users.
- Grant access to the system based on valid access authorization, intended use of the system, and other attributes such as
- Review of accounts.
The document then refers to 19 related sets of procedural controls.
Other considerations include when to automatically terminate access, the need to audit these processes, when active users should log out, normal daytime usage, and identifying atypical usage.
So far we have only addressed access control policy considerations regarding staff member accounts. Companies must also impose access controls on databases, data, computer networks, applications, internal systems, cloud-based systems and access to external software.
How do you determine access?
Determining access is more complex than “the higher you are, the more you have”. For example, CEOs of companies have ultimate control over all business decisions and strategies. They need extensive data and the ability to move around facilities.
Yet CEOs would generally not have access to detailed accounts payable or receivable accounting systems. Lack of access in this area is financial control to prevent internal fraud.
CEOs also may not be able to walk freely into a factory because they lack the training and equipment to move safely between production lines and heavy equipment. Likewise, those with access to accounting or manufacturing systems would not be able to check a CEO’s financial metrics dashboard, and none of those employees would have the passwords for corporate network routers.
Why do you need an access control policy?
Smart business practices require predictability, risk management, regulatory compliance, and process controls. Here are some of the benefits of access control, whether virtual, digital or physical.
While an access control policy does not predict or avoid all potential problems in the workplace, it does help a business anticipate and reduce the risks it faces.
Access violations can cause damage, including loss of computer systems due to ransomware, theft of high-value real estate, injury to workers from unauthorized intruders, or other consequences. disastrous. To make matters worse, an access violation can result in negative publicity that will affect the business indefinitely.
What should be included in an access control policy?
The simplest – and most difficult – answer is: everything. There is virtually no aspect of commercial operations that does not require an access review. Here are some essential elements to include in an access control policy:
- Access to the building, including specific areas such as R&D laboratories, warehousing, shipping docks, each lockable door, service rooms for telephones and electrical panels, parking lots, preparation areas food, storage areas, server rooms, computer facilities, executive offices and even the office – level lockable drawers. Access also includes surveillance, which may include motion detectors and video cameras.
- IT, communications and other digital infrastructure. This includes examining the equipment, systems, applications and services to which people should have access. Also, determine who is allowed to order IT services from the cloud and their limits, which can be budgetary or role-based.
- Data, which is separate from the IT infrastructure. The data can reside in databases; in unstructured files on servers; in files on individual workstations, laptops or mobile devices; or in paper documents in filing cabinets.
- Business processes, including when, where and how entities can submit invoices; contact methods for legal notices; how the authorized order is placed; and even what types of information customer service personnel are authorized to provide.
- Physical security of personnel in the event of a natural or man-made disaster, or attack by an external agent.
- Regulatory and legal compliance standards.
Individuals will need to understand access requirements, sign compliance and use documents, get process training, and follow procedures that can sometimes be awkward.
Models and Mechanisms
An access control policy means nothing if there is no way to enforce or enforce it. This adds the need for models and mechanisms to the political process.
Models are a step between the creation of a policy and its implementation. They include detailed rule descriptions that are independent of any given hardware, software, procedure, or other mechanism. Common types of models include role-based, rule-based, and discretionary models.
A business may find that a combination of models is beneficial because one type may be useful in one area of operations, while a different model may work better in another area.
Then there are mechanisms, which can be software, such as an access control list, or a physical item, such as a key, key fob, or magnetic card. Although the mechanisms are at a much lower level than planning access control, proper documentation means recording which mechanisms will be used where. If new technological choices make a change necessary, this should also be recorded.