Unit 2 Assignment 2
An access control policy should be established, documented and periodically reviewed, based on business needs and external requirements. Access control policy and associated controls should take account of:
- Security issues for particular data systems and information processing facilities, given business needs, anticipated threats and vulnerabilities;
- Security issues for particular types of data, given business needs, anticipated threats and vulnerabilities;
- Relevant legislative, regulatory and certificatory requirements;
- Relevant contractual obligations or service level agreements;
- Other organizational policies for information access, use and disclosure; and
- Consistency among such policies across systems and networks.
Access control policies generally should include:
- Clearly stated rules and rights based on user profiles;
- Consistent management of access rights across a distributed/networked environment;
- An appropriate mix of administrative, technical and physical access controls;
- Administrative segregation of access control roles -- e.g., access request, access authorization, access administration;
- Requirements for formal authorization of access requests
- Requirements for authorization and timely removal of access rights ("de-provisioning").
The following procedure guide would allow Ken 7 Windows Limited IT department to easily manage their access control changes:
Policy
Ken 7 Windows Limited has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Access Control standards that constitute Ken 7 Windows Limited policy. Each Ken 7 Windows Limited Business System is then bound to this policy, and must develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.
Access Control Procedures: All Ken 7 Windows Limited Business
- Security issues for particular data systems and information processing facilities, given business needs, anticipated threats and vulnerabilities;
- Security issues for particular types of data, given business needs, anticipated threats and vulnerabilities;
- Relevant legislative, regulatory and certificatory requirements;
- Relevant contractual obligations or service level agreements;
- Other organizational policies for information access, use and disclosure; and
- Consistency among such policies across systems and networks.
Access control policies generally should include:
- Clearly stated rules and rights based on user profiles;
- Consistent management of access rights across a distributed/networked environment;
- An appropriate mix of administrative, technical and physical access controls;
- Administrative segregation of access control roles -- e.g., access request, access authorization, access administration;
- Requirements for formal authorization of access requests
- Requirements for authorization and timely removal of access rights ("de-provisioning").
The following procedure guide would allow Ken 7 Windows Limited IT department to easily manage their access control changes:
Policy
Ken 7 Windows Limited has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Access Control standards that constitute Ken 7 Windows Limited policy. Each Ken 7 Windows Limited Business System is then bound to this policy, and must develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.
Access Control Procedures: All Ken 7 Windows Limited Business