Access to applications and data (files, databases) that have been classified as vital or important is reserved to authorised persons and is forbidden to all other persons, whether internal or external to the organisation.
The right to access each of these resources is granted by the data manager, as defined in Section 2 “Attribution of responsibilities”. It also sets out the type of access to the information: read-only, editing or deletion rights. This is the only person who can grant, modify or withdraw access rights to this data. Access rights are created on a technical level by the IT manager.
Before creating a personal account for a user, the IT manager ensures that the data manager has given their approval for access to the different user groups, drives, directories and applications. S/he also takes this opportunity to review the group members and their rights.
Connection to external networks and, in particular, the Internet must take place under the appropriate conditions. Here are a few possible scenarios:
Connections from external networks to the organisation’s systems must be restricted to a need-only basis. On such occasions, this connection is preferably made via a VPN connection.
In case of more complex networks with different security zones, a firewall is used to separate these different networks.
The firewall is configured so that only the authorised flows and users can pass through. If a device is too sensitive, it is to physically and/or logically separated from the rest of the systems.
The home screens of the various systems are configured in such a way to: