You may think of access control in terms of physical security, but in our increasingly digital world, controlling access to our information assets is becoming more and more important. This article about access control policies will focus on digital assets, but the concepts and processes discussed will apply equally well to physical ones.
This article also assumes that you don’t currently have an accreditation such as ISO 27001, as if you did, you’d already have an Access Control Policy (and one or two more besides that!)
A quick word about policies
Before we start, let’s talk about policies. When you think about policies (if you ever do!), you might imagine immense wordy documents that are difficult to understand and even harder to follow. I’d like to destroy that idea!
The only value of any policy is in people actually doing what it says. For this to happen, the policy must be:
- Simple to understand
- Easy to remember, and
- Straightforward to implement
If any of these criteria aren’t met, the policy will remain as meaningless words in a document and not be worth the digital paper it is written on.
Related guide: How to create policies that work for you and your people
What is an Access Control Policy?
An Access Control Policy informs people on how access to your information and physical assets is controlled. It is not a list of who can see and do what (that would be your Access Control Register) but rather the measures and procedures you have in place to manage and control access.
Why have an Access Control Policy?
You might well ask: If we’re not required to, why should we bother to have an Access Control Policy? That’s a fair question! It can be time consuming to create, and you need to train staff on how to use it, so what’s the benefit in having one?
Honestly, having a policy in place isn’t really going to do a great deal. Where the value comes from is in thinking about what assets you have and ensuring only the people who need them can access them. It also allows you to consider security best practices such as the “principle of least privilege” and train your staff on their use.
Essentially, the value comes from the act of writing and implementing the policy, rather than the policy itself.
How to write an Access Control Policy
Before you write an Access Control Policy, you need to consider the assets that you’re wanting to protect. If you don’t yet know what information assets you have, you’ll need to perform a quick audit. Check out the “What should I backup?” section of our recent blog post about business data backup for some tips.
Now that you know what you’re controlling access to, you need to consider a few headlines to include in your Access Control Policy:
Roles and responsibilities
Who owns which asset or class of asset and what they are responsible for? For example, your IT Director or Chief Technical Officer (CTO) could be responsible for:
- Ensuring no one can access, modify, or use the organisation’s assets without authorisation or detection.
- Authorising and recording the use of any software that might be capable of overriding this sub-policy.
How to record and monitor access
This counts for access by both employees and visitors and could include the following points:
- “Access to information assets must only be provided to individuals who need it to complete tasks specified in their Job Description or as instructed by a Director of the organisation.”
- “All visitors must sign in at reception. They must always be accompanied by a member of staff when in restricted or sensitive areas.”
- “All unsupervised access to information assets must be authorised by the person specified in, and recorded on, the access control register.”
How to request and change access levels
There will come times when a person’s level of access needs to change (for example, as their role changes or they are granted a higher level of seniority). In this vein, you may want to include a point along the lines of:
- “Requests for changes to an individual’s access level must be recorded in the Change Request log. All changes must be authorised by the asset owner.”
Adding information security elements
As myhrtoolkit are ISO 27001 accredited, our Access Control Policy is closely linked with our overarching Information Security Policy. If you don’t currently have a separate Information Security Policy, you may wish to add the following elements into your Access Control Policy:
- Password rules e.g. “Don’t create your own passwords. All passwords must be randomly generated by and stored in our password management software.”
- Clear Screen and Desk rules e.g. “All displays must have a timeout of 5 minutes or less. After each timeout, the user should be prompted to enter a password to access the system.”
- Mobile working rules e.g. “Remote access to our network must only be provided to authorised users and be set to timeout after 30 minutes of inactivity.”
Related article: Password security: policy and best practices for your organisation
Now that you have a policy, you need to make sure that it’s followed. This means you’ll need to fully train staff on how to use it and then monitor compliance at regular intervals.
But if your new policy isn’t being followed, it’s unlikely to be because your staff are just doing something wrong. My experience is that people want to do the right thing, so if people aren’t using it, the policy and or the training are to blame, not your staff. Consider the following:
- Is your policy too long or too wordy? Don’t use technical language if you don’t need to. Basically, try to avoid it sound too much like a policy!
- Do all staff know where the policy is and when to use it? You may need to invest in more training.
With the right policy and correctly trained staff, you’ll be reaping the benefits of greater information security in no time at all!
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.