S 2.6 Granting of site access authorisations

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of Organisational Section; Head of Site/Bldg Technical Service

Prior to granting access rights to persons, the rooms in a building requiring protection must be defined, e.g. office, data media archive, server room, operating room, machine-room, document archive, computing centre. The protective requirements of a room must be determined on the basis of the IT equipment kept in the given room, and by the need for protection of the IT applications used and their set of information.

Subsequently, it must be defined which person needs what access permissions for the performance of the assigned function. This must be done in compliance with the previously defined separation of functions (S 2.5 Division of responsibilities and separation of functions). Granting of unnecessary access permissions must be avoided.

In order to minimise the number of persons authorised to have access to a room, the principle of separation of functions should also be observed in the use of IT facilities. Thus, separate storage of IT spare parts and data media will prevent unauthorised access by a maintenance engineer to data media.

Access rights granted and withdrawn must be documented. In the event that a site access permission is withdrawn, it must be ensured that the means of site access is also withdrawn. In addition, it must be documented which conflicts have arisen when granting access rights to persons. Possible reasons for conflicts are: persons performing functions which, in terms of access authorisations, are opposed to the separation of functions, or which result from spatial requirements.

For the control of entry permissions, either persons (entrance control staff, lock-up service), or technical devices (badge reader, lock) may be used (cf. S 2.14 Key Management). Non-authorised persons (e.g. visitors) may be granted access to rooms requiring protection only in the presence of, or when accompanied by, authorised staff.

Regulations concerning the granting/withdrawal of site access authorisations for employees of outside contractors must also be established.

Additional controls:

• Is documentation on the protective requirements of IT rooms in existence?

• Is the documentation on rooms requiring protection, and on persons authorised to have access, being up-dated?