Security policy – Access Control
Access Control Policy
Access to applications and data (files, databases) that have been classified as vital or important is reserved to authorised persons and is forbidden to all other persons, whether internal or external to the organisation.
The right to access each of these resources is granted by the data manager, as defined in Section 2 “Attribution of responsibilities”. It also sets out the type of access to the information: read-only, editing or deletion rights. This is the only person who can grant, modify or withdraw access rights to this data. Access rights are created on a technical level by the IT manager.
Applying Security Measures To:
- file servers
- email servers
- fixed network
- internal Wi-Fi network
- customer Wi-Fi network
- computers connected to the Internet
- laptop computers
Directly Associated Organisational Measures:
- Classification and monitoring of resources
- Physical and environmental security
- Operational and communications aspects
- Access control
- Compliance
Technical Measures:
Access Rights Management
Before creating a personal account for a user, the IT manager ensures that the data manager has given their approval for access to the different user groups, drives, directories and applications. S/he also takes this opportunity to review the group members and their rights.
Applying Security Measures To:
- file servers
- email servers
- fixed network
- internal Wi-Fi network
- customer Wi-Fi network
- computers connected to the Internet
- laptop computers
Directly Associated Organisational Measures:
Technical Measures:
Password Management
Applying Security Measures To:
- file servers
- email servers
- fixed network
- internal Wi-Fi network
- customer Wi-Fi network
- computers connected to the Internet
- laptop computers
Directly Associated Organisational Measures:
Technical Measures:
Use of External Networks
Connection to external networks and, in particular, the Internet must take place under the appropriate conditions. Here are a few possible scenarios:
Applying Security Measures For:
- file servers
- email servers
- fixed network
- internal Wi-Fi network
- customer Wi-Fi network
- computers connected to the Internet
- laptop computers
Directly Associated Organisational Measures:
Directly Associated Organisational Measures:
- Human factors
- Operational and communications aspects
- Access control
- Development and maintenance of systems
- Management of security incidents
Technical Measures:
External Connections
Connections from external networks to the organisation’s systems must be restricted to a need-only basis. On such occasions, this connection is preferably made via a VPN connection.
Applying Security Measures To:
Directly Associated Organisational Measures:
- Organisation of Security
- Human factors
- Operational and communications aspects
- Access control
- Development and maintenance of systems
- Management of security incidents
- Compliance
Technical Measures:
Separation of Networks
In case of more complex networks with different security zones, a firewall is used to separate these different networks.
The firewall is configured so that only the authorised flows and users can pass through. If a device is too sensitive, it is to physically and/or logically separated from the rest of the systems.
Applying Security Measures To:
- file servers
- email servers
- fixed network
- internal Wi-Fi network
- customer Wi-Fi network
- computers connected to the Internet
- laptop computers
Connection Procedures
The home screens of the various systems are configured in such a way to:
- give the least amount of information possible, and preferably nothing about the system, application or organisation until the user has been correctly identified;
- display a message such as “Access forbidden to unauthorised persons”;
- limit the number of attempts to three before locking out the user;
- display, if possible, the date and time of the last login, as well as any login attempts. The user should verify this information to make sure that there have been no suspicious logins without them knowing.
