ACCESS CONTROL POLICY

[Company Name]

Document Owner:
Effective Date:
Updated:

Disclaimer: This sample policy has been provided by Apptega, Inc. as a generic document to support the
development of your compliance program. It is unlikely to be complete for your organization without
customization. This document is not legal advice and Apptega is not a registered CPA firm.
Access Control Policy
Version 1.0
[Updated Date]

[Company Name]
Access Control Policy
Effective Date: Document Owner:
Revision History
Revision Rev. Date Description Prepared By Reviewed By Date Approved By Date
1.0

1. Overview.............................................................................................................................................2
2. Purpose................................................................................................................................................2
3. Scope...................................................................................................................................................2
4. Policy...................................................................................................................................................2
4.1............................................................................................................................................................2
4.2............................................................................................................................................................2
4.3............................................................................................................................................................3
4.4............................................................................................................................................................3
4.5............................................................................................................................................................3
4.6............................................................................................................................................................3
4.7............................................................................................................................................................3
4.8............................................................................................................................................................4
4.9............................................................................................................................................................4
4.10..........................................................................................................................................................4
4.11..........................................................................................................................................................4
4.12..........................................................................................................................................................4
4.13..........................................................................................................................................................4
4.14..........................................................................................................................................................5
4.15..........................................................................................................................................................5
4.16..........................................................................................................................................................5
4.17..........................................................................................................................................................5
4.18..........................................................................................................................................................5
4.19..........................................................................................................................................................5
4.20..........................................................................................................................................................6

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

4.21..........................................................................................................................................................6
4.22..........................................................................................................................................................6
5. Audit Controls and Management........................................................................................................6
6. Enforcement........................................................................................................................................6
7. Distribution..........................................................................................................................................7
8. Related Standards, Policies, and Processes.........................................................................................7
9. Definitions and Terms..........................................................................................................................7

1. Overview
Access Control protects against unauthorized access to a computer system by using
identification, authorization, authentication, and access approval techniques. When
managing an information system, it is critical to understand who can access a system
and what their privileges are. Proper access control procedures prevent wanted and
unwanted users from reading, modifying, or otherwise improperly using sensitive data.

2. Purpose
This policy provides procedures and protocols supporting effective access control
procedures.

3. Scope
This policy applies to all company officers, directors, employees, agents, affiliates,
contractors, consultants, advisors or service providers that possess, access, or manage
information owned by the organization. It is the responsibility of all the above to
familiarize themselves with this policy and ensure adequate compliance with it.

4. Policy
4.1
Information System access is to be limited to:

 Authorized Users
 Processes acting on behalf of Authorized Users
 Devices (including other information systems) acting on behalf of Authorized
Users

4.2
System access is to be limited to the types of transactions and functions that
authorized users are permitted to execute.

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

System access of Authorized Users is limited to these functions:

 <Define the types of transactions and functions that authorized users are
permitted to execute>

4.3
The flow of sensitive information must be in accordance with approved
authorizations.

 <Define methods for controlling the flow of Controlled Unclassified

Information>
 <List designated sources and destinations for sensitive information>

4.4
Some duties of individuals need to be separated in order to reduce the risk of
malevolent activity without collusion.

 <Outline duties that require separation>

These duties are separated in order to limit the ability of a single individual to act
against the company.
Accounts that manage these areas cannot be shared between individuals whose
duties and accesses are separated as a part of this policy.

4.5
<The Company> follows the Least Privilege Principal. System and user privileges
are to be limited to the minimum authorization necessary.

4.6
Only non-privileged accounts are to be used when accessing non-security
functions

 If a system user both accesses data and maintains the system in some way he
must use separate accounts with appropriate access levels for each function.

 As a policy, users with multiple accounts must always log on with the
account having the least privilege necessary

4.7
<The Company> ensures that non-privileged users cannot execute privileged
functions.

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

The following is tracked in an audit log upon execution of a privileged function

 The executing user

 What function was executed

4.8
Unsuccessful login attempts need to be limited

 <Outline your system for limiting unsuccessful login attempts>

4.9
Privacy and security notices -required by CUI specified rules – must be displayed.
<Define how these notices are displayed>
 <List required privacy and security notices>

4.10
Following a period of inactivity, computers and displays must lock in order to
prevent access and viewing of data. Previously visible information must be
concealed during the lock.

 <Define the period of inactivity required for a session lock to initiate>

4.11
Systems must automatically terminate a user session after the following
conditions:

 <List conditions requiring a user session to terminate>

4.12
<State if Remote Access Sessions are permitted>
(If Permitted)
<The Company> permits remote access sessions on the condition they are
controlled and monitored.

 <Identify the permitted types of remote access>

 <Define how remote access will be controlled and monitored>

4.13
(If Permitted)
The confidentiality of Remote Access Sessions must be protected by
cryptographic mechanisms.

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

 <Outline the mechanisms that protect the confidentiality of remote access

sessions>

4.14
(If Permitted)
Remote Access Sessions must be routed via managed access control points.

 <List the access control points that route Remote Access Sessions>

4.15
(If Permitted)
Remote access to security information, and remote execution of privileged
commands must be authorized.

 <List the privileged commands that can be remotely executed>

 <List the security-relevant information that can be remotely accessed>

4.16
Wireless access to the system must be authorized before the connection is
made.

 <List wireless points of access>

4.17
Wireless access to the system must be protected with encryption and
authentication.

4.18
Connections made by mobile devices are to be authorized, monitored, and
logged.

 <List any mobile devices that process, store, or transmit CUI>

4.19
CUI on mobile devices and computing platforms must be encrypted

 <List any mobile devices and mobile computing platforms that process, store,
or transmit CUI>

4.20
Connections to and use of external systems must be controlled and should be
limited.

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

 <List any external systems used>

 <List when connections may be used>
This information must be verifiable

4.21
Portable storage devices should be limited on external systems. Portable storage
devices containing CUI on external systems needs to be documented.

 <List portable storage devices used on external systems that contain CUI>
<Define the limits on the use of organizational portable storage devices
containing CUI>

4.22
Any CUI posted or processed on publicly accessible systems must be adequately
controlled by:

 <Define process for controlling CUI posted/processed on publicly accessible

systems>
 <List users authorized to post or process information on publicly accessible
systems>
 <Explain review process for posting information to publicly accessible
systems>
Content on publicly accessible systems is to be reviewed to ensure that it does
not include CUI.
CUI improperly posted on publicly accessible systems can be removed or
managed by <Define mechanisms in place to remove and address improper
posting of CUI>

5. Audit Controls and Management

On-demand documented procedures and evidence of practice should be in place for this
operational policy. Satisfactory examples of evidence and compliance are outlined in the
Audit and Accountability Policy.

6. Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and
including termination.

7. Distribution
This policy is to be distributed to all staff.

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

8. Related Standards, Policies, and Processes

 Configuration Management Policy
 Identification and Authentication Policy
 Media Protection Policy
 Personnel Security Policy
 Physical Protection Policy
 Security Assessment Policy

9. Related Sub controls

Control Code Control
3.1.1 Account Management
3.1.2 Access Enforcement
3.1.3 Information Flow Enforcement
3.1.4 Separation of Duties
3.1.5 Least Privilege
3.1.6 Non-privileged Account Use
3.1.7 Audit of Privileged Use
3.1.8 Unsuccessful Logon Attempts
3.1.9 System Use Notification
3.1.10 Session Lock
3.1.11 Session Termination
3.1.12 Remote Access Monitoring
3.1.13 Encrypting Remote Access
3.1.14 Manage Access Control Points
3.1.15 Remote Access Authorization
3.1.16 Wireless Access Authorization
3.1.17 Wireless Access Encryption
3.1.18 Access Control for Mobile Devices
3.1.19 Encrypt Data on Mobile Devices
3.1.20 Use of External Information Systems
3.1.21 Use of Portable Storage Devices on External Systems
3.1.22 Public Accessible Content

CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]

10. Definitions and Terms

The following definitions are not all-inclusive and should be updated as new information
is made available:
Term Definition

Access Approval The decision of a system to either accept or reject an access

request from an authenticated user or process, based on
the requesting party’s authorization privileges
Authentication The verification of a user or processes identity

Authorization The specific access rights and privileges of a user or process

CUI (Controlled Unclassified Information that should not be publicly

Unclassified disclosed
Information)
Identification The claim to identity of a user or process. (This
user/process becomes authenticated upon proving its
identify)
Least Privilege Principle The policy of limiting a user or process to the minimum
level of authorization necessary to complete a task

CONFIDENTIAL