Access control policy

The purpose of access controls in an information system is to determine what activities are allowed and what activities are prohibited. Users, in most cases, should not have unfettered access to information systems. Access controls allow organizations to establish rules around how they want users to access information systems.

An access control policy should address:

• Limiting information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
• Limiting information system access to the types of transactions and functions that authorized users are permitted to execute
• Controlling the flow of information in accordance with approved authorizations
• Separating the duties of inpiduals to reduce the risk of malevolent activity without collusion
• Employing the principle of least privilege, including for specific security functions and privileged accounts
• Using non-privileged accounts or roles when accessing non-security functions
• Preventing non-privileged users from executing privileged functions and auditing the execution of such functions
• Limiting unsuccessful logon attempts
• Providing privacy and security notices consistent with applicable rules
• Using session lock with pattern-hiding displays to prevent accessing/viewing of data after periods of inactivity
• Terminating (automatically) a user session after a defined condition
• Monitoring and controlling remote access sessions
• Employing cryptographic mechanisms to protect the confidentiality of remote access sessions
• Routing remote access via managed access control points
• Authorizing remote execution of privileged commands and remote access to security-relevant information
• Authorizing wireless access prior to allowing such connections
• Protecting wireless access using authentication and encryption
• Controlling the connection of mobile devices
• Encrypting information on mobile devices
• Verifying and controlling/limiting connections to and the use of external information systems
• Limiting the use of organizational portable storage devices on external information systems
• Controlling information posted or processed on publicly accessible information systems