CASES.LU

Knowhow

Security policy – Access control

Access control policy

Access to applications and data (files, databases) that have been classified as vital or important is reserved to authorised persons and is forbidden to all other persons, whether internal or external to the “organisation”.

The right to access each of these resources is granted by the data manager, as defined in Section 2 “Attribution of responsibilities”. It also sets out the type of access to the information: read-only, editing or deletion rights.

This is the only person who can grant, modify or withdraw access rights to this data.

Access rights are created on a technical level by the IT manager.

Applying security measures to:

Directly associated organisational measures:

Technical measures:

Access rights management

Before creating a personal account for a user, the IT manager ensures that the data manager has given their approval for access to the different user groups, drives, directories and applications. S/he also takes this opportunity to review the group members and their rights.

Applying security measures to:

Directly associated organisational measures:

Technical measures:

Password management

Applying security measures to:

Directly associated organisational measures:

Technical measures:

Use of external networks

Connection to external networks and, in particular, the Internet must take place under the appropriate conditions.

Here are a few possible scenarios:

Applying security measures for:

Directly associated organisational measures:

Directly associated organisational measures:

Technical measures:

External connections

Connections from external networks to the “organisation’s” systems must be restricted to a need-only basis. On such occasions, this connection is preferably made via VPN.

Applying security measures to:

Directly associated organisational measures:

Technical measures:

Separation of networks

In the case of more complex networks with different security zones, a firewall is used to separate these different networks.

The firewall is configured so that only the authorised flows and users can pass through.

If a device is too sensitive, it is physically and/or logically separated from the rest of the systems.

See also network segmentation

Applying security measures to:

Connection procedures

The home screens of the various systems are configured in such a way as to:

  • give the least amount of information possible, and preferably nothing about the system, application or “organisation” until the user has been correctly identified;
  • display a message such as “Access forbidden to unauthorised persons”;
  • limit the number of attempts to 3 before locking out the user;
  • display, if possible, the date and time of the last login, as well as any login attempts. The user should verify this information to make sure that there have been no suspicious logins without them knowing.
Table of Contents