OverviewInformation Security policies helps tosafeguard and controls the information from security threats. This will help toachieve the technical and business needs within the organization. ScopeProtection of information systems is theprimary responsibility which would further help to create highly effectivesystems which can prevent the threats. As the information security isapplicable to all the applications in anorganization, the authorization control would certainly determine who and howthe data is accessed across various departments in the organization. Thispolicy is very crucial as it defines the user to access the resources withinthe organization.
The access control must be systematic and the permissionsmust be restricted department wise. All the employees in the organization willdeal with the information directly or indirectly, therefore the Hardware andnetwork connectivity device controls should be maintained by the IT securitymanager and access to provide access applications should be controlled by thedatabase administrators. PolicyAccess control policies help to control the unauthorized access ofresources and to safeguard the integrity and confidentiality of all the applicationsand network systems. Theaccess to systems will be provided based on the business requirements or the jobresponsibilities and the type of the job function.
The access to modify data inanyway should be granted by the administrator/supervisor. Accessto the high-security systems must be controlled by the security operations teamwho will manage who can access these systems. Thepolicy rules are modified depending on the mode of job function. It can bedivided into groups like user access, Administrative access and remote access.
So different accounts are managed based on the privileged access. Allthe network devices will be protected in secure locations with accesscontrolled only by a few authorized security staff who will safeguard thepolicy implementation. Computerized components to helpthe administration of data framework accounts. A data framework that willconsequently end impermanent and crisis accounts after 48 hours. A data framework that willconsequently incapacitate latent records following 48 hours. Robotizedcomponents to review account creation, adjustment, debilitating, and endactivities and to advise, as required, suitable people.
EnforcingAccess Control: Informationsystems which provide access only to privileged users who are generallysecurity administrators, authorized personnel, network administrators, etc.Privileged users can only access, monitor and control these systems and will begenerally the information security officers or system administrators. Compliance Measurement A IT security officer should lead in the development and theenforcement of the information security policies . It varies from physical,technical and administrative levels.
At an administrative level he/she has to manage the riskanalysis and document all the information access control logs.Control access to workstations and network equipment must be assigned as per the security policy guidelines.Establish the access and authorization rules to restrict theusers to access the data from everyday operations.Standards should be set to audit security controls,encryption of data, event reporting and logs.Testing of security procedures periodically and developingnew policies.
Definitions, Related Standards, and PoliciesThere are different related standards that are implemented by theorganizations like,Mandatory Access Policy (MAC): This policy controls and safeguards thatdata is accessed by the user who has authorized access and definelabels/security domains. And the modification to the objects/data is onlyprovided based on the security level.Discretionary Access Control(DAC): This policy ensures that the sharingof data is done by individuals or the groups based on the access rights.Role Based Access Control (RBA) : This policy ensures that the accessrights are based on the group roles and ensures no other associate can accesswithout permission.Exceptions:When there is a security breach or an incident happened which needs tofollow up quickly then the chief security officer or the CEO can review thepolicies to prevent further damage to the organization.References:https://nvd.nist.gov/download/800-53/800-53-controls.xml