Developing an access control policy is a fundamental part of creating and implementing a business’s access control system. Proper access control means people can reach all the digital and physical resources they need to do their jobs, but they won’t have access to other business facets.
An access control policy is the planned operational and strategic foundation of all the best access control systems, and it’s also a fundamental managerial responsibility. Every company should decide in advance the data and resources each employee should be able to access.
Here’s a look at access control policies, why you need one, how to create one, and what to include.
Editor’s note: Looking for the right access control system for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
What is an access control policy?
An access control policy documents and specifies the resources that permanent and temporary employees, management, contractors, business partners, and customers can access. It also delineates when and where such access can take place.
Managers and other leaders plan, document and implement the access control policy through official procedures. Everyone involved should be aware of the policy’s permissions and restrictions.
An access control policy addresses the following high-level concerns:
- Necessary resource access types depending on roles, responsibilities and purposes
- Access scope
- Regulatory compliance considerations for access
- Coordination across the organization’s departments and their locations
- Control types that enable access management and oversight
This high-level view doesn’t convey the degree of depth and specificity a good access control policy addresses. For example, the National Institute of Standards and Technology offers the following list of considerations in managing staff member accounts:
- Identifying account types (i.e., individual, group, system, application, guest/anonymous and temporary)
- Establishing group membership conditions
- Identifying authorized users of the information system and specifying access privileges
- Requiring appropriate approvals for requests to establish accounts
- Establishing, activating, modifying, disabling and removing accounts
- Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts
- Notifying account managers when temporary accounts are no longer required, when information system users are terminated or transferred, or when their information system usage or need-to-know/need-to-share status changes
- Deactivating temporary accounts that are no longer required, and the accounts of terminated or transferred users
- Granting access to the system based on a valid access authorization, intended system usage, and other attributes as
- Reviewing accounts
The document then refers to 19 related sets of procedural controls.
Other considerations include when to end access automatically, the need to audit these processes, when active users must log off, normal times-of-day usage, and atypical use identification.
So far, we’ve discussed only access control policy considerations concerning staff member accounts. Businesses also must impose access controls for databases, data, computer networks, applications, internal systems, cloud-based systems and external software access.
Did you know? Physical access control considerations include locked doors, building area access, and whether to use fail-safe or fail-secure locks.
How do you determine access?
Determining access is more complex than “the higher you are, the more you have.” For example, company CEOs have ultimate control over all business decisions and strategies. They need extensive data and the ability to move around facilities.
Yet CEOs wouldn’t typically have access to detailed accounts payable or receivable accounting systems. The lack of access in this area is a financial control to prevent internal fraud.
CEOs also might not be able to enter a factory floor freely because they lack the training and gear to move safely among production lines and heavy equipment. Similarly, those with access to accounting or manufacturing systems wouldn’t be able to check a CEO’s financial metrics dashboard, and none of these employees would have the passwords to corporate network routers.
FYI: A good adage for an access control policy is “a place for everything and everything in its place.” Determining everyone’s proper place doesn’t happen by accident. Instead, it’s the result of extensive thought and planning.
Why do you need an access control policy?
Smart business practices require predictability, risk management, regulatory compliance and process controls. These are some of the benefits of access control, whether it’s virtual, digital or physical.
While an access control policy won’t predict and avoid every potential workplace problem, it helps a business anticipate and lower the risks it faces.
Access breaches can cause damage, including the loss of computer systems to ransomware, theft of real property of significant value, injury to workers from unauthorized intruders, or other dire consequences. To make matters worse, an access breach can result in adverse publicity that will affect business indefinitely.
Bottom line: A comprehensive access control policy recognizes previously unconsidered risks, makes contingency and potential remediation plans, and offsets unnecessary dangers and costs via prevention.
What should be included in an access control policy?
The simplest – and most challenging – answer is: everything. There is virtually no aspect of business operation that doesn’t require an access review. Here are a few essential elements to include in an access control policy:
- Building access, including specific areas like R&D labs, warehousing, shipping docks, every lockable door, utility rooms for phones and electrical panels, parking lots, food preparation areas, storage areas, server rooms, computer system facilities, executive offices, and even desk-level lockable drawers. Access also includes monitoring, which can include motion detectors and video cameras.
- Computer, communications and other digital infrastructure. This includes considering what equipment, systems, applications and services to which people should have access. Also determine who is allowed to order computing services from the cloud and their limitations, which can be budgetary as well as role-based.
- Data, which is separate from the computer infrastructure. Data can reside on databases; in unstructured files on servers; in files on individual workstations, laptops, or mobile devices; or in paper documents in filing cabinets.
- Business processes, including when, where, and how entities can submit invoices; contact methods for legal notifications; how authorized order placement happens; and even what types of information customer service personnel are allowed to provide.
- Physical safety of personnel in case of a natural or man-made disaster, or an attack by an outside agent.
- Regulatory and legal compliance standards.
Individuals will need to understand the conditions of access, sign compliance and usage documents, obtain training on processes, and follow procedures that may be inconvenient at times.
Bottom line: The need for access control crosses all a business’s boundaries, divisions, processes, properties, data, tools, information, services and functions. There may be aspects that don’t require stringent control, like who can take a cup of coffee or use a restroom. But everything must be considered, if only to dismiss an access control aspect as unnecessary.
Models and mechanisms
An access control policy means nothing if there’s no way to implement or enforce it. That adds the need for models and mechanisms to the policy process.
Models are a step between creating a policy and implementing it. They include detailed rule descriptions that don’t depend on any given hardware, software, procedures or other mechanisms. Common model types include role-based, rule-based and discretionary.
A company might find that a combination of models is beneficial, as one type may help in an operational area, while a different model might work better in another area.
Then there are mechanisms, which can be software-based, such as an access control list, or a physical item, like a key, fob or swipe card. Although mechanisms are much lower level than access control planning, proper documentation means recording which mechanisms will be used where. If new technology choices make a change necessary, that should also be recorded.