CISA Made Easy

                                           - easy CISA preparation

Monday, August 4, 2008

Designing a secure access control policy

Access Control Policy of an organization should ensure

i. Availability of resources on need to do and need to know basis.

ii. Authentication of process

iii. Authorization of process

iv. Integrity of process and information

v. Confidentiality of information


To achieve all or some of above we need to consider a lot of factors. Some of the factors which we must consider before devising our access control policies are:

  1. Nature of Business

Nature of business primarily decides our access control system. For a financial firm customer's data access will be the important criteria whereas for a marketing firm third party data collection and storage will be the important criteria.

  1. Asset / Process Sensitivity & Criticality

A sensitive information or asset needs more protection than relatively less sensitive information or assets. Our policy should document the assets based on sensitivity and criticality. These classifications can be done in many ways depending upon the type of assets /information. for example - critical, sensitive, major, minor, public, confidential etc. This asset classification is most important and generally done in the beginning of Access policy development. This classification can be done on the basis of risk analysis and Business Impact Analysis.

Note: information itself is an asset.

  1. Ownership and Usage of assets

Asset access is largely done on the need to know and need to do basis.

  1. Segregation of duties

Segregation of duties play important role in designing Access control Policy. For example a database administrator can not be a programmer. So, a programmer should not be given any access to live data.

  1. Degree of outsourcing

A clear third party access control policy should be prepared by management before outsourcing any job.

Essential component of a good access control policy:

A good access control system should have one or more of the following components:

  1. Access Control Matrices
  2. Password/PIN/User ID rules
  3. Shared User ID rules ( if any) and justification
  4. Biometric Access rules
  5. Asset Classification
  6. Privileges, Roles and Profile description
  7. Authentication and Authorization rules
  8. Operating System and Database access rule
  9. Source code and executables access rules
  10. Network access rules
  11. Change management procedures
  12. Third party access procedures


Add Post To: | Digg| Technorati| del.icio.us| Stumbleupon| Reddit| BlinkList| Furl| Spurl| Yahoo| Simpy|

Posted by PassCISA | Permalink |  

Labels:

Readers who visited this post also read :

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

Home | | | | |

CISA made Easy - Easy CISA Preparation