Recommend Practices for Access Control

Revised: 15 Oct 2015 by ITSC

Adequate identification, authentication and authorization functions should be provided in computer systems and software applications, commensurate with appropriate use and the acceptable level of risk.

Data Access Control

  • Access to information shall not be allowed unless authorized by the relevant information owners.
  • Data access rights shall be granted to users based on a need-to-know basis.
  • Data access rights shall be clearly defined and reviewed periodically. Records for access rights approval and review shall be maintained.
  • Access to information systems containing information classified Confidential/Sensitive or above shall be managed by means of logical access control.

Authentication

  • Access to classified information without appropriate authentication shall not be allowed.
  • Authentication shall be performed in a manner commensurate with the sensitivity of the information to be accessed.
  • Consecutive unsuccessful log-in trials shall be controlled.

User Identification

  • Each user identity (user-ID) shall uniquely identify only one user. Shared or group user-IDs are not permitted unless explicitly approved by Management of relevant department.
  • Users are responsible for all activities performed with their user-IDs.

User Privileges Management

  • Procedures for approving, granting and managing user access including user registration/de-registration, password delivery and password reset shall be documented.
  • All accounts shall be revoked after a pre-defined period of inactivity.
  • User privileges shall be reviewed periodically.
  • The use of special privileges shall be restricted and controlled.

Password Management

  • Departments shall adopt ITSC’s Password Guidelines on minimum password length, initial assignment, restricted words and format, password life cycle, and include guidelines on suitable system and user password selection.
  • Passwords shall not be shared or divulged unless necessary (e.g., service desk assistance, shared PC and shared files). The risk of sharing passwords is that it increases the probability of security being compromised.
  • Passwords shall always be well protected when held in storage. Passwords shall be encrypted when transmitted over an un-trusted communication network. Compensating controls shall be applied to reduce the risk exposure to an acceptable level if encryption is not implementable.
  • Staff are prohibited from capturing or otherwise obtaining passwords, decryption keys, or any other access control mechanism, which could permit unauthorized access.
  • All vendor-supplied default passwords shall be changed before any information system is put into operation.
  • All passwords shall be promptly changed if they are suspected of/are being compromised, or disclosed to vendors for maintenance and support.

Mobile Computing and Remote Access

  • Appropriate security measures shall be adopted to avoid unauthorized access to or disclosure of the information stored and processed by these facilities. Authorized users should be briefed on the security threats, and accept their security responsibilities with explicit acknowledgement.
  • Security measures shall be in place to prevent unauthorized remote access to university information systems and data.