Organizations have policies and procedures in place for various business units such as accounting and human resources. They also have essential policies for information security and access. The challenge for IT departments is to establish and continually update access control policies in an evolving technology and business environment. Creating and documenting standards for logical and physical security of the organization is essential in the protection of the organization’s infrastructure as shown in FIGURE 14-1.
The size of the organization, the types of information used, and the industry in which the company exists are all factors to consider when building an IT security policy framework. This framework must address both logical and physical security. The human aspect of security is vital as well. Without training and awareness programs, the best defense can fail. At the heart of these systems is a strong access control policy.
Before discussing security policy frameworks, it is helpful to define a few terms that are often used interchangeably:
A policy is a general-purpose document that describes high-level organizational rules and requirements. A standard is a more specific implementation of a policy. Guidelines are strong suggestions for implementing policies and standards. Procedures are step-by-step outlines for completing a specific task as outlined in the guidelines and standards.
Failure to require strong access controls in a company’s security policy framework will contribute to vulnerabilities and breaches in the system. These breaches may result in the disclosure and loss of valuable information and assets and can expose the organization to civil and legal penalties.
The specific policies needed for access controls vary by organization, but in general, organizations should have policies that describe which users have access to sensitive systems and data, for what purpose, and for how long.
The following are common organization policies:
These policies provide a basis for an organization’s access control systems. You should base them on the organization’s business needs and risk assessment.
A standard is a set of detailed processes or methods for implementing technology, hardware, or software solutions. Access control standards are the rules that an organization uses to control access to its IT assets. You need these standards for all points in access control from creation of the users, to granting and revoking rights, to user removal. Standards are important guides for evaluating an organization’s compliance with regulation.
Standards documents, established by collective agreement and approved by management, provide for common repeatable rules. This helps to safeguard access controls and policies. This allows an organization better control in protecting its infrastructure and assets. Some common standards documents that many organizations use are:
Every organization will have a unique set of standards based on business needs. These are the most common standards that most organizations use.
You must establish access control procedures by outlining the steps needed to access organizational IT assets. Procedures should be included that detail authentication, account management, password management, and remote access. Additionally, you will need access determination policies and systems to restrict unauthorized access.
Procedures outlining specific steps for each process should be developed and used. The following is an example of an access request change procedure:
This is a simple example of a procedure. Having explicit procedures is vital for the efficient and consistent application of an access control policy. Without written procedures, the risk of mistakes and errors in an organization’s access controls grows dangerously high.
Guidelines are a collection of suggestions and best practices relating to a standard or procedure. A guideline doesn’t necessarily need to be met but compliance is strongly encouraged. Any access control policy in an organization will make reference to guidelines that are in existence in the organization. Although these actions are strongly encouraged, it is important to remember that these are not fixed rules. Guidelines are best viewed as recommendations.
An organization can have various guidelines for department and end users relating to access control policies. All of the information pertaining to the guideline should be included within a policy or procedure that a department or end user is required to follow. Inclusions into these official documents will lend weight to the guideline and allow a system to easily get them to the end users.
Some examples of departmental guidelines are:
Some examples of individual guidelines are:
Both individual and departmental guidelines should be written as helpful guidance for compliance with more official documents such as policies, standards, and procedures.
18.218.169.50