Security & Compliance
< Back to Article ListIS-09 Access Control Policy
Last updated: 24 October 2024 at 11:45:37 UTC by Russell Briggs
Access Control Policy
Document Ref No |
IS-09 |
Version No |
V1 |
Last review date |
16/10/2021 |
Approved by |
Dom Tyler |
Next review |
16/10/2022 |
Contents
1.Purpose, scope and users 3
2.Access control 3
2.1.Introduction 3
2.2.Physical Access 3
2.3.Access to Network and Systems 3
2.4.Regular review of access rights 3
2.5.Change of status or termination of contract 4
3.Document management 4
4.Version history 4
1. Purpose, scope and users
The purpose of this document is to define rules for access to various systems, equipment, facilities and information, based on business and security requirements for access.
This document is applied to the entire Information Security Management System (ISMS) scope, i.e. to all systems, equipment, facilities and information used within the ISMS scope.
Users of this document are all employees of Recycly .
2. Access control
2.1. Introduction
The basic principle is that access to all systems, networks, services and information is forbidden by default, unless expressly permitted to individual users or groups of users.
This Policy specifies rules for access to systems, services and facilities, while the Information Classification Policy defines rules for access to data, documents and records.
2.2. Physical Access
Physical controls must be implemented to prevent unauthorised access to secure areas as detailed in the Physical Security Policy.
Access to physical areas in the organisation is permitted for: -
● Staff who have been issued with the required fob/access card/door key
● Visitors who are monitored by a nominated member of staff for the duration of their visit.
2.3. Access to Network and Systems
Access to systems is allocated according to business requirements. Appropriate access is allocated by the IT/Development Department. A record of access must be maintained for all users.
Administrator access must be approved by Senior Management. All server administrators should be provided with an Administrator and a User profile, all administration tasks carried out must be carried out using the Administrator profile.
2.4. Regular review of access rights
Owners of each system and owners of facilities for which special access rights are required must review annually whether the access rights granted are in line with business and security requirements.
User access reviews should be performed annually. Each review should be recorded including any changes to user access.
2.5. Change of status or termination of contract
Upon change of employment or termination of employment, the responsible persons who grant privileges for the employee in question must be informed.
Upon change of contractual relations with external parties who have access to systems, services and facilities, or upon expiration of the contract, the contract owner must immediately inform the responsible persons who approved privileges for the external parties in question.
The access rights for all the persons who have changed their employment status or contractual relationship must immediately be removed or changed by the responsible person.
3. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
4. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
16/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|