Access control principles
Access to our information and systems must be strictly controlled to maintain:
• confidentiality
• integrity
• availability of information and systems
The overall security of the infrastructure, systems, applications and information must take precedence over any individual requirement for access.
Access rights must be based on a clear business need. They must be in line with the principles of need to know and need to access.
The allocation and use of privileged access rights must be strictly controlled.
Access to our network must be through the provision of a unique User ID. This must be assigned to an individual user to:
- enable an audit of specific activity
- ensure accountability of actions
Generic user accounts must not be permitted unless:
- exceptional circumstances exist
- there is a clearly defined and documented business reason to do so
Account holders must conform to our ICT acceptable use policy.
Access provided to non-council staff must be supported by a relevant information sharing agreement and, or contract. This should set out appropriate information assurance requirements. Services must be the minimum necessary.
Access to our email must be strictly limited to our staff or in very limited circumstances those representing us.
Access authorisation
Before access is authorised a formal process must be followed which requires that:
- an agreed business need is identified
- a relevant line manager provides authority
- the identity of the user is verified
- the provision of privileged access is via formal change control
The level of access provided must be commensurate with the tasks the user is expected to perform.
Users must change their passwords at the first log on.
Adjustment of access rights
Adjustments to access rights must be based on the criteria set out above in access authorisation.
Managers must review access rights to systems used by staff when changing roles and update where necessary. For example the removal of unnecessary access permissions.
The relevant line manager must request suspension of access rights for lengthy periods of planned inactivity. For example:
- secondment
- suspension
- maternity leave
- long term sick leave
Disabling of user accounts
Once a business requirement ceases to be relevant access to our network and to systems previously required to complete a role must be revoked. The users account must be disabled.
Line Managers are responsible for notifying the IT service desk of the need to:
- disable the user account
- disable any access permissions the user had to systems used as part of their role
ICT assets must be recovered from employees once a business requirement has ceased. They should be returned to Serco.
Allocation of privileged access rights
The allocation of privileged access rights must be strictly controlled. They must follow the access authorisation process.
Privileged access rights must be consistent with an individual’s role.
Privileged access rights must be subject to formal change control process.
Privileged access rights must be assigned to a user ID different from those used for regular business activities. Regular business activities must not be performed from a privileged ID.
When privileged access rights are no longer justifiable, they must be removed as soon as practicable.
A regular review of privileged access rights must be undertaken (not less than once every six months).
Users requiring administrative privileges (for example, users who can reconfigure the network or system administrators) must be subject to the baseline personal security standard.
Further information
For further information please email IA@lincolnshire.gov.uk.