Introduction
The purpose of logical access control is to manage access to information in a way that:
System is protected from unauthorized access
Accidental damage from authorized user is minimized
All Users have access to appropriate resources.
The confidentiality and integrity of information in ABC Company are kept.
This section addresses the logical access control requirements for All Users, and all assets of ABC Company, which include but are not limited to network devices such as router, switches, and computers, properties such as office and computer room.
Audit requirements are also addressed in this section.
Authentication and Password
All Users shall be held accountable for every action carried out by his/her …show more content…
Non-standard access may be granted in exceptional circumstances that shall be subjected to special authorization and controlled and applied only for a limited time.
Business Owners shall conduct review at regular intervals to review user access rights with allocated by system managers.
User Access Control
For access to ABC systems that contain personal user data, All Users shall sign the confidentiality agreement to abide by the Data Protection Policy before they are registered
All Users shall have their personal User ID and password pair for the system. User ID and password shall not be shared.
Group ID should only be used with approval from Director of Information Technology
Whenever Generic ID is re-assigned, the password shall be changed
There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
Management shall review user’s access rights every six months or when major changes are made to the IT system.
The allocation and use of privileges shall be restricted and controlled.
Password
All Users shall ensure password confidentiality and prevent disclosure and compromise at all …show more content…
All Users shall have a unique User ID such that activities can be traced to responsible user.
Periodically, it is necessary to change the Operating System (including upgrade to newer version). When such changes occur the security of the system should be reviewed to ensure that it does not introduced any vulnerability.
For systems that have single administrative accounts, such as Unix, users with access to the administrative account must first use their normal account to log into systems before switching to the privileged administrative account. This is to identify and log the user of the administrative accounts.
Users given command line access to systems must, where feasible, be limited to the access or service needed via the use of restricted shells, application menu restrictions or other means.
Super user/administrator accounts should not be used for daily operations and should be kept secure until required for emergency use. Operators should be provided with accounts with reduced privileges for their daily operational activities whenever the system