Security & Compliance

< Back to Article List

IS-09 Access Control Policy

Last updated: 24 October 2024 at 11:45:37 UTC by Russell Briggs

Access Control Policy

 

 

 

Document Ref No

IS-09

Version No

V1

Last review date

16/10/2021

Approved by

Dom Tyler

Next review

16/10/2022

 

 

 

 

 

 

 

 

Contents

1.Purpose, scope and users                                                                                                               3

2.Access control                                                                                                                                  3

2.1.Introduction                                                                                                                               3

2.2.Physical Access                                                                                                                         3

2.3.Access to Network and Systems                                                                                         3

2.4.Regular review of access rights                                                                                        3

2.5.Change of status or termination of contract                                                                4

3.Document management                                                                                                                     4

4.Version history                                                                                                                                   4

 

 

 

 

 

 

 


 

1.    Purpose, scope and users

The purpose of this document is to define rules for access to various systems, equipment, facilities and information, based on business and security requirements for access.

This document is applied to the entire Information Security Management System (ISMS) scope, i.e. to all systems, equipment, facilities and information used within the ISMS scope.

Users of this document are all employees of Recycly .

 

2.    Access control

2.1.         Introduction

The basic principle is that access to all systems, networks, services and information is forbidden by default, unless expressly permitted to individual users or groups of users. 

This Policy specifies rules for access to systems, services and facilities, while the Information Classification Policy defines rules for access to data, documents and records.

2.2.         Physical Access

Physical controls must be implemented to prevent unauthorised access to secure areas as detailed in the Physical Security Policy.

Access to physical areas in the organisation is permitted for: -

       Staff who have been issued with the required fob/access card/door key

       Visitors who are monitored by a nominated member of staff for the duration of their visit.

2.3.         Access to Network and Systems

Access to systems is allocated according to business requirements. Appropriate access is allocated by the IT/Development Department. A record of access must be maintained for all users.

Administrator access must be approved by Senior Management. All server administrators should be provided with an Administrator and a User profile, all administration tasks carried out must be carried out using the Administrator profile.

 

 

2.4.         Regular review of access rights

Owners of each system and owners of facilities for which special access rights are required must review annually whether the access rights granted are in line with business and security requirements.

User access reviews should be performed annually. Each review should be recorded including any changes to user access.

2.5.         Change of status or termination of contract

Upon change of employment or termination of employment, the responsible persons who grant privileges for the employee in question must be informed.

Upon change of contractual relations with external parties who have access to systems, services and facilities, or upon expiration of the contract, the contract owner must immediately inform the responsible persons who approved privileges for the external parties in question.

The access rights for all the persons who have changed their employment status or contractual relationship must immediately be removed or changed by the responsible person.

 

3.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

 

4.    Version history

Summary of Change

Date of Change

Author

Version No

First Draft

16/10/2021

Dom Tyler

1