|
Newstaff, Inc.Information Security ServicesBritish Standard 7799 System Access Control |
- To ensure the correct and secure operation of information processing facilities
- To minimize the risk of systems failures
- To protect the integrity of software and information
- To maintain the integrity and availability of information processing and communication
- To ensure the safeguarding of information in networks and the protection of the supporting infrastructure
- To prevent damage to assets and interruptions to business activities
- To prevent loss, modification or misuse of information exchanged between organizations
- access control policy
- access control rules
- cover all stages of the user life cycle
- include the allocation of privileged access which allows override
- include a formal registration and de-registration process
- employ unique Ids
- check with the user's supervisor and the system owner
- include a written statement of access privileges
- match the level of access to the business need
- include user's agreement to the terms of access
- include formal records of access
- include processes for removing redundant accounts
- address unauthorized access
- address user privilege management
- address user password management
- include review of user access rights
- password confidentiality
- regular password change
- password quality
- the use of temporary password for initial login
- that passwords are not included in any automated process
- that passwords are not shared
- that single sign-on is used where multiple accesses are required
- that users ensure that unattended equipment has appropriate protection
- policy on use of networks
- enforcement of path
- authentication of external connections
- node authentication
- remote diagnostic port protection
- segregation
- network connection control
- network routing control
- a clear description of all network services
- automatic terminal identification
- terminal logon procedures
- user identification and authentication
- password management
- control over the use of system utilities
- protection for users who might be the targets of coercion
- terminal time-outs
- limitations on connect time
- the application of a defined access control policy
- use of control mechanisms such as menus, restricting knowledge, controlling the transaction rights of users (read/write/delete)
- isolation of sensitive systems
- event logging (users ID, date and time, terminal identity, successful and unsuccessful access to system and/or data
- monitoring of system for procedures and areas of risk
- assessment of risk factors
- logging and reviewing events
- clock synchronization
- consideration of unprotected environments
- consideration of all types of mobile devices
- consideration of special risks of teleworking
Business requirements for access control must be established and account for information dissemination and authorization. Business requirements include:
User access management must be in place to control allocation of access rights. Such a management process must:
User responsibilities in order to gain user co-operation is essential and must ensure:
Network access control must include:
Operating system access must be controlled and should include:
Application access should be restricted to authorized users by:
System access and user should be monitored to detect deviation from policy and to record evidence and should include:
Mobile computing and teleworking activities cause special risks and require special protections including:
Contact Us for a proposal!
Security Information
Security Criteria
BS 7799
Security Policy
Security Organization
Assets Control
Personnel Security
Physical Security
Computer, Network
Access Control
Development Controls
Continuity Planning
Compliance, Auditing