Professional Documents
Culture Documents
Access Control Policy Template
Access Control Policy Template
[Company Name]
Document Owner:
Effective Date:
Updated:
Disclaimer: This sample policy has been provided by Apptega, Inc. as a generic document to support the
development of your compliance program. It is unlikely to be complete for your organization without
customization. This document is not legal advice and Apptega is not a registered CPA firm.
Access Control Policy
Version 1.0
[Updated Date]
[Company Name]
Access Control Policy
Effective Date: Document Owner:
Revision History
Revision Rev. Date Description Prepared By Reviewed By Date Approved By Date
1.0
1. Overview.............................................................................................................................................2
2. Purpose................................................................................................................................................2
3. Scope...................................................................................................................................................2
4. Policy...................................................................................................................................................2
4.1............................................................................................................................................................2
4.2............................................................................................................................................................2
4.3............................................................................................................................................................3
4.4............................................................................................................................................................3
4.5............................................................................................................................................................3
4.6............................................................................................................................................................3
4.7............................................................................................................................................................3
4.8............................................................................................................................................................4
4.9............................................................................................................................................................4
4.10..........................................................................................................................................................4
4.11..........................................................................................................................................................4
4.12..........................................................................................................................................................4
4.13..........................................................................................................................................................4
4.14..........................................................................................................................................................5
4.15..........................................................................................................................................................5
4.16..........................................................................................................................................................5
4.17..........................................................................................................................................................5
4.18..........................................................................................................................................................5
4.19..........................................................................................................................................................5
4.20..........................................................................................................................................................6
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
4.21..........................................................................................................................................................6
4.22..........................................................................................................................................................6
5. Audit Controls and Management........................................................................................................6
6. Enforcement........................................................................................................................................6
7. Distribution..........................................................................................................................................7
8. Related Standards, Policies, and Processes.........................................................................................7
9. Definitions and Terms..........................................................................................................................7
1. Overview
Access Control protects against unauthorized access to a computer system by using
identification, authorization, authentication, and access approval techniques. When
managing an information system, it is critical to understand who can access a system
and what their privileges are. Proper access control procedures prevent wanted and
unwanted users from reading, modifying, or otherwise improperly using sensitive data.
2. Purpose
This policy provides procedures and protocols supporting effective access control
procedures.
3. Scope
This policy applies to all company officers, directors, employees, agents, affiliates,
contractors, consultants, advisors or service providers that possess, access, or manage
information owned by the organization. It is the responsibility of all the above to
familiarize themselves with this policy and ensure adequate compliance with it.
4. Policy
4.1
Information System access is to be limited to:
Authorized Users
Processes acting on behalf of Authorized Users
Devices (including other information systems) acting on behalf of Authorized
Users
4.2
System access is to be limited to the types of transactions and functions that
authorized users are permitted to execute.
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
<Define the types of transactions and functions that authorized users are
permitted to execute>
4.3
The flow of sensitive information must be in accordance with approved
authorizations.
4.4
Some duties of individuals need to be separated in order to reduce the risk of
malevolent activity without collusion.
These duties are separated in order to limit the ability of a single individual to act
against the company.
Accounts that manage these areas cannot be shared between individuals whose
duties and accesses are separated as a part of this policy.
4.5
<The Company> follows the Least Privilege Principal. System and user privileges
are to be limited to the minimum authorization necessary.
4.6
Only non-privileged accounts are to be used when accessing non-security
functions
If a system user both accesses data and maintains the system in some way he
must use separate accounts with appropriate access levels for each function.
As a policy, users with multiple accounts must always log on with the
account having the least privilege necessary
4.7
<The Company> ensures that non-privileged users cannot execute privileged
functions.
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
4.8
Unsuccessful login attempts need to be limited
4.9
Privacy and security notices -required by CUI specified rules – must be displayed.
<Define how these notices are displayed>
<List required privacy and security notices>
4.10
Following a period of inactivity, computers and displays must lock in order to
prevent access and viewing of data. Previously visible information must be
concealed during the lock.
4.11
Systems must automatically terminate a user session after the following
conditions:
4.12
<State if Remote Access Sessions are permitted>
(If Permitted)
<The Company> permits remote access sessions on the condition they are
controlled and monitored.
4.13
(If Permitted)
The confidentiality of Remote Access Sessions must be protected by
cryptographic mechanisms.
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
4.14
(If Permitted)
Remote Access Sessions must be routed via managed access control points.
<List the access control points that route Remote Access Sessions>
4.15
(If Permitted)
Remote access to security information, and remote execution of privileged
commands must be authorized.
4.16
Wireless access to the system must be authorized before the connection is
made.
4.17
Wireless access to the system must be protected with encryption and
authentication.
4.18
Connections made by mobile devices are to be authorized, monitored, and
logged.
4.19
CUI on mobile devices and computing platforms must be encrypted
<List any mobile devices and mobile computing platforms that process, store,
or transmit CUI>
4.20
Connections to and use of external systems must be controlled and should be
limited.
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
4.21
Portable storage devices should be limited on external systems. Portable storage
devices containing CUI on external systems needs to be documented.
<List portable storage devices used on external systems that contain CUI>
<Define the limits on the use of organizational portable storage devices
containing CUI>
4.22
Any CUI posted or processed on publicly accessible systems must be adequately
controlled by:
6. Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and
including termination.
7. Distribution
This policy is to be distributed to all staff.
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
CONFIDENTIAL
Access Control Policy
Version 1.0
[Updated Date]
CONFIDENTIAL