Access Control Policy - Risk Management


Access control is a security measure that is used to regulate who has access to certain resources, such as files, buildings, or computer systems. It is a key part of risk management, as it helps to prevent unauthorized access that could lead to data breaches or other security incidents.


Access Control

  • Principle of Least Privilege – Business adheres to the principle of least privilege, specifying that users of Business  systems will be given access to only the information and resources necessary to perform their job functions as determined by Senior Management, the Security Officer, Supervisor/Department Manager, or designee and in accordance with the {Company Name} Mission, State and Federal regulations, and accreditation requirements.

  • Documentation Responsibilities – The Security Officer or designee shall document the physical and logical access control rules, rights, and roles for each user or group of users for each system in operation.

  • Access Approval – Users needing access to resources must be approved by Senior Management and must have submitted a User Access Request form outlining the physical and logical access required to perform their job duties. The level of access required to each system, facility, or network will be determined on a per-user basis.

  • User Accounts – Users of Business  systems will be provided a unique user ID that can be used to trace activities to the individual responsible for that account. Generic user accounts shall only be utilized in circumstances where there is a clear business benefit when user functions do not need to be traced when additional accountability controls are implemented, and only after approval by the Security Officer or designee.

  • Administrator Accounts – Users performing privileged functions, such as system administrators, shall utilize a separate account that is different from their standard user account.

  • Access Acknowledgement – Each user is required to acknowledge, in writing, that they understand the level of access they are receiving, the security measures in place to protect the information and system(s) to which they have access, and that they understand the business requirements to be met by Business  access controls prior to gaining access to resources.

  • Changes to Access – Changes to access level(s) such as in the case of promotion, demotion, termination, or change in job duties, shall be formally documented and approved by the appropriate Management representative. The IT Department is to be notified when users are terminated or transferred if their privileges change, or when accounts are no longer required and user access rights shall be reviewed and reallocated as necessary prior to changes being made.


Access Review

  • Review of Accounts Used in Applications and Middleware – Business  must annually review the privileges of special accounts used for production applications or middleware.

  • Reauthorization of User Access Privileges – The system privileges granted to every user must be reevaluated by the Security Officer quarterly to determine whether currently-enabled system privileges are needed to perform the user’s current job duties.