S 2.31 Documentation on Authorised Users and on Rights Profiles

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

Such documentation serves to provide an overview of the authorised users, user groups and rights profiles and is required for effective monitoring.

The following three means of providing documentation should all be used:

• generic administration files provided by the system,

• individual files administered by the responsible Administrator,

• hard copies.

In particular, the following should be documented:

• authorised users together with the following details: assigned rights profile (plus any deviations from the standard rights profile used), reasons for selecting that particular rights profile (plus any deviations, if applicable), user contact details, date and reason for configuring this user, and any time limits;

• authorised groups, together with details of the relevant users, date and reason for configuration, plus any time limits.

The documentation regarding the authorised users and rights profiles should be checked at regular intervals (at least every six months) to see whether it reflects the actual situation regarding the granting of rights and whether the assignment of rights still matches the security requirements and the current tasks of the users.

Additional controls:

• Are there records of the authorised users and groups and their authorisation profiles?

• Are the records up to date?

• When were the records last checked?

• Are the records adequately protected against unauthorised access?