Access Control

Business Requirement for Access Control

Whether an access control policy is developed
Access Control Policy and reviewed based on the business and
security requirements.
Whether both logical and physical access
control are taken into consideration in the
policy
Whether the users and service providers were
given a clear statement of the business
requirement to be met by access controls.

User Access Management

Whether there is any formal user registration
User Registration and de-registration procedure for granting
access to all information systems and services.
Whether the allocation and use of any
Privilege Management privileges in information system environment is
restricted and controlled i.e., Privileges are
allocated on need-to-use basis, privileges are
allocated only after formal authorization
process.
The allocation and reallocation of passwords
User Password should be controlled through a formal
Management management process.
Whether the users are asked to sign a statement
to keep the password confidential.
Whether there exists a process to review user
Review of user access access rights at regular intervals. Example:
rights Special privilege review every 3 months,
normal privileges every 6 moths.

User Responsibilities
Whether there are any security practice in place
Password use to guide users in selecting and maintaining
secure passwords.
Whether the users and contractors are made
Unattended user aware of the security requirements and
equipment procedures for protecting unattended
equipment. .
Example: Logoff when session is finished or set
up auto log off, terminate sessions when
finished etc.,
 Whether the organisation has adopted clear
Clear desk and clear desk policy with regards to papers and
screen policy removable storage media
Whether the organisation has adopted clear
screen policy with regards to information
processing facility

Network Access Control

Whether users are provided with access only to
Policy on use of the services that they have been specifically
network services authorized to use.
Whether there exists a policy that does address
concerns relating to networks and network
services.
Whether appropriate authentication mechanism
User authentication for is used to control access by remote users.
external connections
Whether automatic equipment identification is
Equipment considered as a means to authenticate
identification in connections from specific locations and
equipment.
networks
Whether physical and logical access to
Remote diagnostic and diagnostic ports are securely controlled i.e.,
configuration port protected by a security mechanism.
protection
Whether groups of information services, users
Segregation in networks and information systems are segregated on
networks.
Whether the network (where business partner’s
and/ or third parties need access to information
system) is segregated using perimeter security
mechanisms such as firewalls.
Whether consideration is made to segregation
of wireless networks from internal and private
networks.
Whether there exists an access control policy
Network connection which states network connection control for
control shared networks, especially for those extend
across organization’s boundaries.
Whether the access control policy states routing
Network routing controls are to be implemented for networks.
control
 Whether the routing controls are based on the
positive source and destination identification
mechanism.

Operating system access control

Whether access to operating system is
Secure log-on controlled by secure log-on procedure.
procedures
Whether unique identifier (user ID) is provided
User identification and to every user such as operators, system
authentication administrators and all other staff including
technical.
Whether suitable authentication technique is
chosen to substantiate the claimed identity of
user.
Whether generic user accounts are supplied
only under exceptional circumstances where
there is a clear business benefit. Additional
controls may be necessary to maintain
accountability.
Whether there exists a password management
Password management system that enforces various password controls
system such as: individual password for accountability,
enforce password changes, store passwords in
encrypted form, not display passwords on
screen etc.,
Whether the utility programs that might be
Use of system utilities capable of overriding system and application
controls is restricted and tightly controlled.
Whether inactive session is shutdown after a
Session time-out defined period of inactivity.
(A limited form of timeouts can be provided for
some systems, which clears the screen and
prevents unauthorized access but does not close
down the application or network sessions.
Whether there exists restriction on connection
Limitation of time for high-risk applications. This type of set
connection time up should be considered for sensitive
applications for which the terminals are
installed in high-risk locations.

Application and Information Access Control

Whether access to information and application
Information access system functions by users and support
 personnel is restricted in accordance with the
restriction defined access control policy.
Whether sensitive systems are provided with
Sensitive system dedicated (isolated) computing environment
isolation such as running on a dedicated computer, share
resources only with trusted application systems,
etc.,

Mobile Computing and teleworking

Whether a formal policy is in place, and
Mobile computing and appropriate security measures are adopted to
communications protect against the risk of using mobile
computing and communication facilities.
Some example of Mobile computing and
communications facility include: notebooks,
palmtops, laptops, smart cards, mobile phones.
Whether risks such as working in unprotected
environment is taken into account by Mobile
computing policy.
Whether policy, operational plan and
Teleworking procedures are developed and implemented for
teleworking activities.
Whether teleworking activity is authorized and
controlled by management and does it ensure
that suitable arrangements are in place for this
way of working.