security framework

Who and how is authorisation for access to systems and business applications granted?

How is access to information systems to be granted (eg passwords etc)?

Who is responsible for monitoring and reviewing access rights?

Who is responsible for removing and notifying of redundant User IDs and accounts and what is the process?

Who is responsible for granting access to systems utilities and privilege management?

How is access and use of systems utilities monitored?

How are users to be educated and made aware of access responsibilities?

What are users’ responsibilities for access and passwords?

Who is responsible for authorising network access (both internally and external connections)?

What is the process for enforced network paths, user authentication for external connection, Node authentication, use of remote diagnostic ports?

How will network domains and groups be segregated?

What network connection controls will be in place – eg. times, type and size of file transfers to external source?

How is automatic terminal identification used to authenticate connections to specific locations and portable equipment?

What is the secure logon and logoff process for access?

Are there restrictions on connection times in place?

How will passwords be issued and managed – what are the rules for passwords?

How will systems utilities’ use be controlled?

Who authorises application access eg read, write?

What is the process for authorising access to information when systems share resources, eg. two separate systems are integrated to form a third application or system?

What system events will be logged, eg. date, IP address, User-IDs, unsuccessful logins, alerts from intrusion detection systems (firewall)?

When and who will review and monitor system logs? And where are they stored?

Outline Agency policy for each type of mobile device – eg. physical storage, personal usage, protection of information held on the device, access mechanisms (eg password), virus protection, backup.

Policy on use of computer equipment for telecommuting, eg. authorisation process, system access, physical security, etc.

Template - Access Control Policy Page 1 of 2 June 06