An access control policy is the planned operational and strategic foundation of all the best access control systems, and it’s also a fundamental managerial responsibility. Learn why you need one, how to create one, and what it should include. Access control policies are an important element of a business’s access control system.
An Access Control Policy
An access control policy documents and specifies the resources that permanent and temporary employees, management, contractors, business partners, and customers can access
- It also delineates when and where such access can take place
- Necessary resource access types depending on roles, responsibilities and purposes
- Access scope
- Regulatory compliance considerations
- Coordination across the organization’s departments
- Control types that enable access management and oversight
What should be included in an access control policy?
Building access – including specific areas like R&D labs, warehousing, shipping docks, every lockable door, utility rooms for phones and electrical panels, parking lots, food preparation areas, storage areas, server rooms, computer system facilities, executive offices, and even desk-level lockable drawers
- Computer, communications and other digital infrastructure – including considering what equipment, systems, applications and services to which people should have access
- Data – separate from the computer infrastructure
- Business processes – including when, where, and how entities can submit invoices
- Physical safety of personnel
- Regulatory and legal compliance standards
Models and Mechanisms
Models are a step between creating a policy and implementing it
- They include detailed rule descriptions that don’t depend on any given hardware, software, procedures or other mechanisms
- Common model types include role-based, rule-based and discretionary
- A company might find that a combination of models is beneficial
How do you determine access?
Determining access is more complex than “the higher you are, the more you have.”
- For example, company CEOs have ultimate control over all business decisions and strategies, yet they wouldn’t typically have access to detailed accounts payable or receivable accounting systems.
- The lack of access in this area is a financial control to prevent internal fraud.
Why do you need an access control policy?
Smart business practices require predictability, risk management, regulatory compliance and process controls
- Access breaches can cause damage, including the loss of computer systems to ransomware, theft of real property of significant value, injury to workers from unauthorized intruders, or other dire consequences
