|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Person-in-charge of the various IT applications, Administrator
If a system is operated by several users, the access rights must be administered in such a way that the users can only operate the IT system in accordance with their tasks.
This assumes that the access authorisations for the various functions have been stipulated by the persons-in-charge (c.f. S 2.7 Granting of (system/network) access rights and S 2.8 Granting of (application/data) access permissions). The users of the IT system are then allocated to the various functions. The results should be in writing.
The Administrator must then configure the IT system in such a way that these users receive access to the IT system and are only able to conduct their tasks with the access authorisation allocated to them. If the IT system offers no possibility of assigning access rights (e.g. a DOS-PC with multiple users) a supplementary product will have to be used (c.f. S 4.41 Use of a suitable PC security product).
If the IT system permits, the report functions should be activated by the Administrator for the purpose of providing evidence. This may be successful and unsuccessful log-on / log-off processes, system errors, attempts to access the system without authorisation.
In the event of substitution, the Administrator must check that his substitute is authorised by the superior. Only then may he establish the access authorisations in the case of substitution.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |