11. Access Control
Control objective: to control access to information
An access control policy has been established, documented in DOC 11.1, and is reviewed when required in the light of business and security needs. In addition, as the Trust Centre protects National Assets, the following are the physical procedures that must be followed every time the Trust Centre in the National Smart Card Centre in Isa Town is accessed.
Administration Area
When access is required to the Administration Area of the Trust Centre, any two of following five members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Administration Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Administration Area unaccompanied by one of the following personnel:
If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.
Outer Core
When access is required to the Outer Core Area of the Trust Centre, all three of following members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Outer Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Outer Core Area unaccompanied by all of the following personnel:
If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.
Inner Core
When access is required to the Inner Core Area of the Trust Centre, all three of following members are required in addition to one of the Police Officers, tasked by Mohammed Hamdan Mohammed, to guard the Trust Centre must supervise their entry, and wait in attendance directly outside the door of the Outer Area until all the people that entered, exit at the same time. No one is ever permitted to enter the Trust Centre Administration Area alone, under any conditions. And no one is permitted to remain in the Trust Centre Inner Core Area unaccompanied by all of the following personnel:
If any of the above personnel are absent they can be represented/replaced by the Director General of IT, or the President of the CIO.
Setting Access Control on the Idendix System
Access to all areas of the Trust Centre is controlled by the Identix biometric locking system on all of the doors. The system is configured according to the policy set out in sub section 11.1 above. Only two people have the username and password to access this system:
The Identix control system is located in the Administration Area of the Trust Centre and as no one can access this area alone, both people will be monitored by one of the other personnel with access rights to the Administration Area. A change log must be signed by the Director General of IT or the President of the CIO to change the access configuration for any of the doors in the Trust Centre.
No changes to this system are permitted without this change control document signed by the Director General of IT or the President of the CIO.
In addition, as part of the monthly controls checking procedure, the Information Security Manager will check the los on the Identix system, print out these logs and sign them to demonstrate that no unauthorised changes have occurred without authorisation.
Control objective: to ensure authorized users’ access and to prevent unauthorised access to information systems
There is a formal user registration and de-registration procedure (DOC 11.3 and DOC 11.4) for granting and revoking access to all information systems and services
The allocation and use of privileges is restricted and controlled in DOC 11.3
The allocation of passwords is controlled through a formal management process as set out in DOC 11.3
Management reviews users’ access rights at regular intervals using the formal process as set out in DOC 11.3
Control objective: to prevent unauthorized user access, and compromise or theft of information and information processing facilities
Users are required (in their User Agreements DOC 11.4) to follow good security practices in the selection and use of passwords
Users are required (in their User Agreements DOC 11.4) to ensure that unattended equipment has appropriate protection
The Organisation has adopted a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities and the requirement for compliance with this policy is set out in DOC 11.4.
Control objective: to prevent unauthorized access to networked services
The Organisation’s policy (in DOC 11.7) is that users are only provided with access to the services that they have been specifically authorized to use.
DOC 11.8 sets out the authentication methods that are used to control access by remote users.
Automatic equipment identification is used as set out in DOC 11.8 as a means to authenticate connections from specific locations and equipment
Physical and logical access to diagnostic and configuration ports is controlled as required by DOC 11.8.
Groups of information services, users and information systems are segregated in the network(s) in line with the requirements of DOC 11.7 and 11.8
The Organization has a single shared network which extends across the organizational boundaries; the Organization restricts the capability of users to connect to the network, in line with the access control policy (DOC 11.1) and requirements of the business applications and as set out in DOC 11.8.
Routing controls have been implemented in line with DOC 11.8 for the Organization networks to ensure that computer connections and information flows do not breach the Organization access control policy as applied to the business applications
Control objective: to prevent unauthorized access to operating systems
Access to information systems is controlled by the secure log-on procedure set out in DOC 11.9
All users have a unique identifier (user ID) for their personal and sole use, issued in line with the requirements of DOC 11.3, and [a suitable authentication technique] has been chosen to substantiate the claimed identity of a user
The password management system set out in DOC 11.3 ensures quality passwords
The use of utility programs that might be capable of overriding system and application controls is restricted and controlled as specified in DOC 11.10.
Inactive sessions are shut down in accordance with DOC 11.9 after a defined period of inactivity
Restrictions on connection times are used to provide additional security for high-risk applications, as specified in DOC 11.8.
Control objective: to prevent unauthorized access to information held in application systems
Access to information and application system functions by users and support personnel is restricted in DOC 11.2 in accordance with the access control policy in DOC 11.1
Sensitive systems have a dedicated (isolated) computing environment as provided in DOC 11.9
Control objective: to ensure information security when using mobile computing and teleworking facilities
A formal policy is in place and appropriate security measures have been adopted to protect against the risks of using mobile computing and communication facilities
Is not permitted in the Trust Centre.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue