|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators, technical managers
In order to be able to use IT systems and/or system components and networks and to be able to retrieve the information stored on them, access control must be controlled. As well as the access controls relating to the individual IT components which have to be set up there should be organisation-wide guidelines on the basic issues. The access control procedures must reflect the protection requirements of the agency/company. In particular it is important to remember that pertinent legislation, regulations and procedures, i.e. for example, the data privacy protection and copyright legislation and licence provisions, must be adhered to.
It is recommended that standard rights profiles are established for persons entitled to use IT systems etc. by virtue of their functions and tasks (see S 2.8 Granting of access rights). User rights for access to files and programs must be defined as a function of the role involved, need-to-know and the sensitivity of the data. Any granting of non-standard rights must be justified.
The guidelines covering access control should be issued to all those with responsibility for IT applications. These can then be used to derive and set up access rules for particular IT systems.
For every individual IT system and every IT application there should be written access rules and the users that have been configured and the rights they have been assigned should be documented (see S 2.30 Provisions governing the designation of users and of user groups). The system and application-specific peculiarities and security requirements must be considered here. Those with responsibility for IT assets are responsible for creating and updating the system-and/or application-specific requirements.
If any particularly extensive rights are granted to employees (e.g. to Administrators), this should be as restrictive as possible. On the one hand the population of privileged users should be kept as small as possible while on the other hand only rights that are actually necessary for a person to perform his assigned tasks should be issued (see also S 2.38 Division of administrator roles in PC networks). For all tasks which can be carried out without extended rights, even privileged users should work under accounts with standard rights.
Access to all IT systems or services must be protected through identification and authentication of the user or IT system seeking access. Strong authentication procedures, for example, the use of one-time passwords or the possession of smart cards should be used to control access from external networks.
No information should be displayed about the IT system or progress of the logon procedure until logon has been successfully completed. It should be displayed that access is allowed only to authorised users. The authentication data must only be checked after it has been entered in full. Other requirements relating to the authentication mechanisms will be found in S 4.133 Appropriate choice of authentication mechanisms.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |