Security Policy – Access Control

Access Control Policy

Access to applications and data (files, databases) that have been classified as vital or important is reserved to authorised persons and is forbidden to all other persons, whether internal or external to the organisation.

The right to access each of these resources is granted by the data manager, as defined in Section 2 “Attribution of responsibilities”. It also sets out the type of access to the information: read-only, editing or deletion rights. This is the only person who can grant, modify or withdraw access rights to this data. Access rights are created on a technical level by the IT manager.

Applying Security Measures To:

• file servers
• email servers
• fixed network
• internal Wi-Fi network
• customer Wi-Fi network
• computers connected to the Internet
• laptop computers

Directly Associated Organisational Measures:

• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Physical and environmental security
  • Physical security perimeter
• Operational and communications aspects
  • Documented procedures
• Access control
  • Access rights management
  • Separation of networks
  • Login procedure
• Compliance
  • Protection of operational data
  • Personal data protection

Technical Measures:

• Authentication

Access Rights Management

Before creating a personal account for a user, the IT manager ensures that the data manager has given their approval for access to the different user groups, drives, directories and applications. S/he also takes this opportunity to review the group members and their rights.

Applying Security Measures To:

• file servers
• email servers
• fixed network
• internal Wi-Fi network
• customer Wi-Fi network
• computers connected to the Internet
• laptop computers

Directly Associated Organisational Measures:

• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Operational and communications aspects
  • Documented procedures
  • Protection against malware
• Access control
  • Access control policy
  • Password management
  • Separation of networks
  • Login procedure

Technical Measures:

• Authentication

Password Management

Applying Security Measures To:

• file servers
• email servers
• fixed network
• internal Wi-Fi network
• customer Wi-Fi network
• computers connected to the Internet
• laptop computers

Directly Associated Organisational Measures:

• Human factors
  • Training and information
• Access control
  • Access control policy
  • Access rights management
  • Login procedure

Technical Measures:

• Authentication
• passwords

Use of External Networks

Connection to external networks and, in particular, the Internet must take place under the appropriate conditions. Here are a few possible scenarios:

Applying Security Measures For:

• file servers
• email servers
• fixed network
• internal Wi-Fi network
• customer Wi-Fi network
• computers connected to the Internet
• laptop computers

Directly Associated Organisational Measures:

• malicious websites

Directly Associated Organisational Measures:

• Human factors
  • Training and information
  • Response to incidents and security malfunctions
• Operational and communications aspects
  • Documented procedures
  • Protection against malware
  • Email
• Access control
  • Access control policy
  • Access rights management
  • Separation of networks
• Development and maintenance of systems
  • Use of encryption
  • Management of technical vulnerabilities
• Management of security incidents
  • Reporting information security events

Technical Measures:

• antivirus
• firewall
• company firewall
• web filter

External Connections

Connections from external networks to the organisation’s systems must be restricted to a need-only basis. On such occasions, this connection is preferably made via a VPN connection.

Applying Security Measures To:

• file servers
• email servers
• fixed network
• computers connected to the Internet
• laptop computers

Directly Associated Organisational Measures:

• Organisation of Security
  • Third-party access and outsourcing
• Human factors
  • Training and information
  • Response to incidents and security malfunctions
• Operational and communications aspects
  • Documented procedures
• Access control
  • Access control policy
  • Access rights management
  • Separation of networks
  • Login procedure
• Development and maintenance of systems
  • Use of encryption
  • Management of technical vulnerabilities
• Management of security incidents
  • Reporting information security events
• Compliance
  • Protection of operational data
  • Personal data protection

Technical Measures:

• company firewall
• VPN

Separation of Networks

In case of more complex networks with different security zones, a firewall is used to separate these different networks.

The firewall is configured so that only the authorised flows and users can pass through. If a device is too sensitive, it is to physically and/or logically separated from the rest of the systems.

Applying Security Measures To:

• file servers
• email servers
• fixed network
• internal Wi-Fi network
• customer Wi-Fi network
• computers connected to the Internet
• laptop computers

Connection Procedures

The home screens of the various systems are configured in such a way to:

• give the least amount of information possible, and preferably nothing about the system, application or organisation until the user has been correctly identified;
• display a message such as “Access forbidden to unauthorised persons”;
• limit the number of attempts to three before locking out the user;
• display, if possible, the date and time of the last login, as well as any login attempts. The user should verify this information to make sure that there have been no suspicious logins without them knowing.