Access control policy

Policy overview

This policy aims to ensure appropriate access control rules are in place across our ICT, including the network and associated information systems.  This is to ensure:

  • the confidentiality, integrity, and availability of systems and information
  • the actions or operations that a legitimate user can perform are those authorised for their role 
  • the risks associated with unauthorised access are mitigated

Access control must be in place to protect our interests by providing a secure and readily accessible environment.

Scope

This policy applies to:

  • our network
  • resources
  • associated information systems and applications

The policy applies to individuals requesting access to our ICT and the ongoing management of that access. This includes, but is not limited to:

  • employees
  • members
  • contractors
  • consultants
  • volunteers
  • third-party organisations

Access control principles

Access to our information and systems must be strictly controlled to maintain:
•    confidentiality
•    integrity
•    availability of information and systems

The overall security of the infrastructure, systems, applications and information must take precedence over any individual requirement for access.

Access rights must be based on a clear business need.  They must be in line with the principles of need to know and need to access.

The allocation and use of privileged access rights must be strictly controlled. 

Access to our network must be through the provision of a unique User ID.  This must be assigned to an individual user to:

  • enable an audit of specific activity
  • ensure accountability of actions

Generic user accounts must not be permitted unless:

  • exceptional circumstances exist 
  • there is a clearly defined and documented business reason to do so

Account holders must conform to our ICT acceptable use policy

Access provided to non-council staff must be supported by a relevant information sharing agreement and, or contract.  This should set out appropriate information assurance requirements.  Services must be the minimum necessary.

Access to our email must be strictly limited to our staff or in very limited circumstances those representing us.  

Access authorisation

Before access is authorised a formal process must be followed which requires that:

  • an agreed business need is identified
  • a relevant line manager provides authority
  • the identity of the user is verified
  • the provision of privileged access is via formal change control

The level of access provided must be commensurate with the tasks the user is expected to perform. 

Users must change their passwords at the first log on. 

Adjustment of access rights

Adjustments to access rights must be based on the criteria set out above in access authorisation.

Managers must review access rights to systems used by staff when changing roles and update where necessary. For example the removal of unnecessary access permissions.

The relevant line manager must request suspension of access rights for lengthy periods of planned inactivity. For example:

  • secondment
  • suspension
  • maternity leave
  • long term sick leave

Disabling of user accounts

Once a business requirement ceases to be relevant access to our network and to systems previously required to complete a role must be revoked.  The users account must be disabled.

Line Managers are responsible for notifying the IT service desk of the need to:

  • disable the user account
  • disable any access permissions the user had to systems used as part of their role

ICT assets must be recovered from employees once a business requirement has ceased.  They should be returned to Serco. 

Allocation of privileged access rights

The allocation of privileged access rights must be strictly controlled.  They must follow the access authorisation process.

Privileged access rights must be consistent with an individual’s role.

Privileged access rights must be subject to formal change control process.

Privileged access rights must be assigned to a user ID different from those used for regular business activities. Regular business activities must not be performed from a privileged ID.

When privileged access rights are no longer justifiable, they must be removed as soon as practicable. 

A regular review of privileged access rights must be undertaken (not less than once every six months). 

Users requiring administrative privileges (for example, users who can reconfigure the network or system administrators) must be subject to the baseline personal security standard.

Further information

For further information please email IA@lincolnshire.gov.uk.