Organisations should control access to Information Assets and systems by ensuring that system functionality is configured to support user access controls and by further ensuring that formal procedures are in place to control the allocation of access rights to local information systems and services. These procedures should cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. Special attention should be given to managing access rights which allow support staff to override system controls.
There are documented requirements for access controls for all key information assets identified in the organisations asset register. Access rights for specific individuals/groups have been agreed and documented in relation to these information assets.
Responsibility for defining and documenting requirements for both system and user access controls have been assigned to appropriate staff/senior management.
Operational, managerial and technical security access controls have been defined, documented and approved for each key information asset identified in the organisations asset register. Access rights for groups of staff and individual current users of information assets have been defined, documented and approved.
OPAL System Level Security Policies
There are appropriate user access management procedures (including user registration, update and deregistration processes), technical functionality and management controls for all key information assets identified in the organisations asset register.
IAOs or equivalent have ensured that there are approved access controls in place for each key information asset under their control.
OPAL System Level Security Policies
Access to information assets is only possible for individuals who have been duly authorised.
OPAL System Level Security Policies
Regular reviews are carried out to audit and assure the access control and management processes. Prompt action is taken to update, replace, disable or remove profiles and individual accounts. Regular assurance reports are provided to the SIRO (or individual with equivalent responsibilities).
Documented reviews and audits are carried out to assure the effectiveness of security access control and management processes.
Latest Information Governance Review meeting
Access requirements are routinely reviewed to ensure that user access privileges remain appropriate, and where access is no longer required, it is disabled or revoked.
Latest Information Governance Review meeting