Topic-specific policy 1/11: access control

Clause 5.1 of the forthcoming new 2022 edition of ISO/IEC 27002 recommends having a topic-specific information security policy on "access control".

OK, fine, so what would that actually look like, in practice?


Before reading on, think about that for a moment.


Imagine if you were tasked to draft an access control policy, what would it cover?


What form would it take?


How would you even start?








<Pause for dramatic effect>










How about something along these lines, for starters:


What is access control intended to achieve? In about half a page, the template's background section explains the rationale for controlling access to assets (meaning valuable things such as information in various forms, including but more than just digital data).

The policy goes on to state that, whereas access to information should be restricted where necessary, access by workers should be permitted by default unless there are legitimate reasons to restrict it. In other words, a liberal approach that releases information for use unless it needs to be restricted for some reason ... which in turn begs questions about what are those legitimate reasons?  Who decides and on what basis?

The alternative approach is to restrict access to assets by default unless there sound reasons to permit access, begging the same questions.

The template policy takes both approaches, in the form of these complementary 'policy axioms':

Policy axioms (guiding principles)

A. Access to corporate information assets by workers should be permitted by default unless there is a legitimate need to restrict it.

B. Access to corporate information assets by third-parties should be restricted by default unless there is a legitimate need to permit it.

 

The idea is that, generally speaking, "workers" (which is defined elsewhere to include employees on the organization's payroll - staff and managers - plus third party employees and others such as interns, temps and consultants working for and on behalf of the organisation, under its control) should have ready access to the information needed to do their jobs, whereas third-parties (i.e. people who are not classed as workers such as the general public, competitors and hackers) should be denied access. Either way, the statements allow for legitimate exceptions, such as restricting access to personal information and trade secrets on a need-to-know basis, and conversely granting third-party access to personal and other information where legally required (e.g. subject access requests) or for other reasons (such as auditing). 

The remainder of the policy briefly states the key controls required to implement those axioms, and the responsibilities associated with this policy (including its ownership, compliance and assurance).

'Briefly' is worth emphasising. The entire generic policy template takes just 2½ pages, admittedly comprising a carefully-crafted form of words based on decades of professional experience in both information security and formal documentation. We want people to read and understand it, increasing the chances that they accept it and do what it says, complying with it. 

If this summary intrigues you, the template is yours to download and customise as an MS Word document for just $20 through the SecAware website.
 
You may also be interested in other topic-specific policies on related controls, for example:
  • User identification and authentication is necessary to prevent access being granted to the wrong people, or withheld inappropriately from the right ones. 
  • IT systems privileges that are needed to override access controls for legitimate administrative purposes (such as backups) should only be granted to competent, trustworthy workers. 
  • And others. One of the key challenges of writing policies in any field as complex as information risk and security is to ensure that all the essentials are covered with as few gaps, overlaps and especially conflicts as possible. I'll have more to say about that towards the end of this blog series.
Tune in to the next blog piece tomorrow for a discussion about the second of eleven examples of topic-specific policies suggested by '27002.