Skip to content

Access Control Policy

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

The purpose of this policy is to establish guidelines for ensuring the secure operation of {{company_name}}, hereafter referred to as "the company", information systems and networks, protecting the confidentiality, integrity, and availability of our data.

The Access Control Policy establishes guidelines for managing access to the company\'s hardware and software assets, protecting the confidentiality, integrity, and availability of our data.

The intent of this policy is to establish the direction and principles for the protection of the {{company_name}}'s IT assets against cyber threats, and to enable continuous improvement of security capability and resilience to emerging and evolving security threats.

Scope

This policy applies to all employees, interns, contractors, and third parties who have access to the company\'s information systems and networks.

User Access {{management_team}}

The company is committed to ensuring only authorised users are granted access to the IT systems. Unauthorised access could enable a malicious or accidental security breach.

Breach of access could lead to unwanted release or manipulation (Integrity) of sensitive information potentially resulting in productivity, reputational or financial loss.

All user access related requests (e.g. adding new users, updating access privileges, and revoking user access rights) must be logged, assessed, and approved in accordance with the defined Access Control Policy. Access to systems and applications should be controlled and documented in a register.

Users should only be granted access rights that are necessary for their job functions. User access rights are reviewed {{user_access_review_frequency}} and updated as necessary and are revoked immediately upon termination of employment or contract.

Users are responsible for keeping their access credentials secure and for reporting any suspected breaches of access control to {{it_provider}}. Users must not share their access credentials with others.

Access to systems and applications is controlled through secure log-on procedures. Users are authenticated using a unique identifier (user ID) and passphrase. Passphrases must meet the complexity requirements -- see Passphrase Standards & Controls below. Unattended user equipment must be secured to prevent unauthorized access.

System and Application Access Control

The purpose of system and application access control is to ensure that only authorized individuals have access to our systems and applications. This helps protect the confidentiality, integrity, and availability of our data and systems.

  • Secure Log-On Procedures: All systems and applications must have secure log-on procedures. This includes, but is not limited to, requiring a unique user ID and passphrase, implementing an account lockout policy after {{lockout_threshold}} failed login attempts, and automatically logging out users after {{session_timeout}} minutes of inactivity.

  • User Authentication: Users must be authenticated using a unique identifier (user ID) and passphrase. Multi-Factor Authentication (MFA) should be associated with all user IDs and passphrases where possible.

  • Access Privileges: Access to systems and applications should be based on the principle of least privilege. Users should only be granted the access privileges that are necessary for their job functions.

  • User Access {{management_team}}: The process for granting, modifying, and revoking access to systems and applications should be controlled and documented in a register. This includes performing {{user_access_review_frequency}} reviews of user access rights.

  • System and Application Monitoring: Systems and applications should be monitored for unauthorized access attempts and unusual activity. Any suspicious activity should be investigated and addressed promptly.

The {{it_provider}} is responsible for implementing and maintaining system and application access controls. All users are responsible for complying with the access control procedures and for reporting any suspected unauthorized access attempts or unusual system or application activity.

IT Asset and Software Register

The purpose of maintaining an IT Asset and a Software Register is to have a comprehensive and up-to-date inventory of all hardware and software assets in the organization. This aids in managing and protecting these assets, managing access control, ensuring license compliance, and supporting strategic planning and decision-making.

The register covers all hardware and software assets owned, leased, or otherwise used by the organisation, including but not limited to servers, desktop computers, laptops, mobile devices, network equipment, operating systems, application software, and cloud services.

  • Asset Identification: Each hardware and software asset should be uniquely identifiable. Hardware assets should be identified by a unique serial number or asset tag. Software assets should be identified by the software name, version, and license key if applicable.

  • Asset Information: For each asset, the register should record relevant information such as the asset\'s location, user, purchase date, and disposal date for hardware assets; and the license type, license expiry date if one, and number of installations for software assets.

  • Asset Classification: Assets should be classified based on their importance to the organization and their sensitivity. This classification should inform the level of protection required for each asset.

  • Asset Ownership: Each asset should have a designated owner who is responsible for the asset\'s maintenance and protection.

  • Asset Lifecycle {{management_team}}: The register should track each asset throughout its lifecycle, from acquisition to disposal. Changes to assets, such as upgrades, repairs, or decommissioning, should be recorded in the register.

The {{it_provider}} is responsible for maintaining the IT Asset and Software Register. Managers are responsible for ensuring that their staff comply with this policy and report any changes to their hardware and software assets.

Passphrase Standards & Controls

All systems and devices connected to our networks must have passphrase and where possible multi-factor authentication (MFA) access controls. This includes, but is not limited to, desktop computers, laptops, servers, mobile devices, and network equipment.

The purpose of passphrase management and access controls is to prevent unauthorized access to our systems and data. This includes all computers permanently or intermittently connected to any aspect of the fixed or wireless networks, including Bring Your Own (BYO) and mobile devices.

The following passphrase standards are required across all systems, software, and networks:

  • Each login ID must be unique to one user; passphrases may not be shared or revealed to anyone else.

  • All vendor-supplied and default passphrases must be immediately changed upon receipt.

  • In alignment with the ACSC\'s recommendations, the use of passphrases is advocated over conventional passwords. A passphrase is a sequence of words or a memorable sentence which can often be longer and more secure than regular passphrases. Ensure the passphrase is easily memorable to the user but challenging for others to deduce. For situations where passphrases aren\'t feasible, passphrases should be robust and comprise a blend of uppercase, lowercase, numbers, and special characters. Refrain from using easily guessable elements such as personal names or other identifiable information. All passphrases or passwords must be at least {{password_min_length}} characters in length.

  • Multi-Factor Authentication (MFA) should be associated with all passphrases where possible. The order of preference for MFA methods is as follows:

  • Hardware Key/Token (e.g., FIDO2 compatible devices)

  • Push notifications through an MFA application (MS Authenticator, Duo)

  • Time-Based One-Time Passphrase (TOTP) applications

  • SMS-based verification (least preferred due to potential security vulnerabilities)

  • Passphrases must not be written down, emailed, or left in a place where unauthorized persons might discover them;

All passphrases must be immediately changed if they are suspected of being disclosed or known to have been disclosed to anyone. In the event of a security compromise, or if there is a sufficient reason to believe that a security compromise has occurred, {{it_provider}} / Chief Technology Officer should immediately reassign all relevant passphrases and broadcast a message to all staff and contractors requiring a change to their passphrases.

The {{it_provider}} is responsible for implementing and maintaining passphrase access controls. The Chief Technology Officer is responsible for managing passphrase changes in the event of a security compromise. All users are responsible for complying with the passphrase standards and for reporting any suspected passphrase disclosures.

Departing Employees

Below are the procedures and responsibilities for ensuring the secure and proper handling of information and access control when an employee leaves the organization. The objective is to protect the organization\'s assets, data, and intellectual property by revoking access and collecting company property from departing employees.

  • Compliance will notify {{it_provider}} and the {{managing_authority}} as soon as the employee\'s departure is confirmed.

  • Compliance will ensure the departing employee returns all company-owned property, including ID badges, keys, and electronic devices as well as confirm that the {{it_provider}} and the departing employee have met their obligations below.

  • The {{it_provider}} will:

  • Revoke all access to company systems, including email accounts, databases, and internal networks and systems, on the employee\'s last working day or as directed by the {{managing_authority}} or Compliance.

  • Archive the employee\'s work-related data and email for a period defined by the organization\'s data retention policy.

  • Wipe all company-owned devices used by the departing employee.

  • The departing employee will:

  • Return all company property, including electronic devices, keys, and ID badges.

  • Provide any necessary passphrases for work-related accounts to Compliance or {{it_provider}}.

  • Cooperate fully with the company during the exit process.

Staff Responsibilities

Staff (including interns and contractors) are expected to uphold the expected standards of professional conduct and comply with this policy in its entirety.

All staff must read, understand, and comply with all components of this policy, and all laws, and regulations that apply to their role.

  • Staff should speak up when seeing possible violations of the policies, and legal and regulatory requirements.

  • Be truthful, and cooperate fully in any internal investigations, and not conceal or destroy information.

  • Staff should ensure they complete training on the policies, and attest that they are understand and commit to comply with them.

  • Failing to read or attest to the policies does not excuse staff from these responsibilities.

Review

This policy will be reviewed {{default_policy_review}} or as needed based on changes to our business, technology, or regulatory environment.

Enforcement & Waivers

These policies are important to us. Violation may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s {{managing_authority}} a provision of the policies for a staff member may be waivered.

Essential Eight Alignment

This policy supports:

  • Restricting Administrative Privileges - Core focus of this policy
  • Multi-factor Authentication - Required for privileged accounts
  • Application Control - Through user access restrictions

Target Maturity: {{e8_target_maturity}}

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}