S 2.7 Granting of (system/network) access privileges

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section

This type of access authorisation allows the person concerned to use IT systems, systems components and networks. This must be laid down in detail for every person authorised to use such facilities on the basis of his/her function and with due regard to the separation of functions (cf. S 2.5 Division of responsibilities and separation of functions). Access to a computer must be defined depending on the function, e.g. access to the operating system (system administrator), or access to an IT application (application user). Moreover, it must be ensured that staffing and task-related changes are promptly taken into account.

Where feasible in IT-terms, access should only be possible after the identification (e.g. name, user ID or smart card) and the authentication (e.g. password) of the authorised person, and should be logged.

The issue and retrieval of access-granting means such as user IDs or smart cards must be documented. Also, provisions must be laid down as regards the handling of access-granting and authentication means (e.g. use of smart cards, handling of passwords, cf. S 2.11 Provisions governing the use of passwords).

Access authorisation should be temporarily blocked in case of long term absence of the authorised person in order to prevent abuse.

It is necessary to make sporadic checks for compliance with the aforementioned requirements.

Additional controls:

• Are the issue and the retrieval of access authorisations and access-granting means documented?

• Is separation of functions being observed in the granting of access rights?

• Are users being trained in the correct handling of access-granting means?

• If use of access-granting means is logged, are such logs also analysed?