Access Control Policy

OperationsFeb 27, 202312 months

Covered in this policy

Responsibility

Compliance with this policy is considered mandatory.

Violations of the policies, standards and procedures will result in corrective action by management.

The purpose of this policy is to establish security requirements in order to ensure controlled access to the information resources of Etch.

This policy applies to all users of information assets including Etch employees, employees of temporary employment agencies, vendors, business partners, and contractor personnel and functional units regardless of geographic locations.

This Policy covers all Information Systems environments operated by Etch or contracted with a third party by Etch. The term “IS environment” defines the total environment and includes, but is not limited to all documentation, physical and logical controls, personnel, hardware, software, and information.

Although this Policy explicitly covers the responsibilities of users, it does not cover the matter exclusively. Other Etch Information Security policies, standards, and procedures define additional responsibilities. All users are required to read, understand and comply with other Information Security policies, standards, and procedures.

If any user does not fully understand anything in these documents, they should consult with the persons listed under Responsibility.

The aforementioned persons shall resolve any conflicts arising from this policy.

  • Access to information must be specifically authorized in accordance with Etch’s Access Control Policy. Access to information will be controlled on the basis of business and security requirements, and access control rules defined for each information system.
  • All employees must only be allowed to access critical business information assets and processes if required for performing the duties of their role.
  • Individuals being involuntarily terminated are subject to the Employee Exit Policy.

User Registration

  • All users of information resources must have a unique User ID and authorisation from the system owner or management in order to access Etch’s information assets.
  • User accounts of personnel quitting Etch must be removed immediately after their termination from the job.

Privilege Management

  • All privileges must be allocated as and when required on a need-to-know basis.

User Password Management

  • All users must follow Etch’s Password policy regarding their password usage and management.
  • Initial temporary passwords must be conveyed in a secure manner, using onetimesecret.
  • All users must change their temporary password on the first login. In the case of forgotten passwords, temporary passwords should be issued only after positive identification of the user.
  • All passwords or keys relevant to the System Administrator who has resigned or terminated must be changed.
  • Users should only store passwords in their 1Password vaults.

Password use

  • All users must abide by the Password Guidelines, as set out in the Information Security Policy.

Unattended user equipment

  • All users must enable password-protected screen savers on user desktops, portable computers/laptops, and servers.
  • The user should set the timer to enable the screen saver after not more than 15 minutes of inactivity.
  • Each user must terminate active sessions when activities are finished.

Clear Desk and Clear Screen Policy

The clear desk and clear screen policy are used to reduce the risks of unauthorised access, loss of, or damage to, information.

The following are the policy standards:

  • Users must log off their computers when their workspace is unattended.
  • Users must shut down their computers at the end of the workday. Laptop computers, computer terminals and printers should be switched off when not in use and should be protected by locks, passwords and the like.
  • All confidential information must be removed from the desk and locked in a drawer or file cabinet when the workstation is unattended and at the end of the workday.
  • File cabinets containing confidential information must be locked when not in use or when not attended to.
  • Passwords must not be posted on or under a computer or in any other accessible location.

Mobile computing and remote access

  • Mobile computing facilities must have boot passwords.

Shared Folders

  • Access to shared folders must be authorised for specific persons only.
  • Shared Folders must be used for work purposes only.

In this policy, the following terms are defined as follows:

Us/We/Etch
Etch Software Limited

Although this Policy explicitly covers the responsibilities of staff, it does not cover the matter exclusively. Other Etch policies, standards, and procedures define additional responsibilities. All users are required to read, understand and comply with other policies, standards, and procedures. If any staff member does not fully understand anything in these documents, they should consult with the persons listed under responsibilities. The aforementioned persons shall resolve any conflicts arising from this policy.

Thanks for reading this policy

Please feel free to use it as a template for your own document.

This policy is licensed under CC BY 4.0

Policies

We have shared our other policy docs publicly too.
Read more

Feedback

If you have any questions or feedback please contact us.
[email protected]

Etch is a web software consultancy based in the UK©2012-2024 Etch Software Ltd - Policies