5. Access Control
Access to all computing resources and information systems should be strictly controlled in accordance with a defined access control policy, to prevent unauthorised physical and logical access. Access control policies should be reviewed on a regular basis. Access control procedures should provide adequate safeguards through robust identification and authentication techniques, and access to all computing and information systems and peripherals should be restricted unless explicitly authorised.
All users should have a unique identifier for their personal use only, and suitable authentication techniques should be chosen to substantiate the claimed identity of users. Password management systems should be interactive and ensure suitable quality of passwords. Where authentication of all system users is not appropriate (e.g. general access kiosk machines) adequate steps should be taken to ensure that any misuse can be prevented or otherwise traced.
Appropriately secure authentication methods should be used to control access by remote users. Remote access connections to the network should only be permitted for authorised users.
Controls should be in place to ensure that inactive sessions are shut down after a defined period of inactivity.
Procedures should be implemented to ensure that access to operating systems is controlled by a secure log-on procedure. Physical and logical access to diagnostic and configuration ports should also be controlled.
Data that are not for public dissemination and are to be accessed from outside the collegiate University should be protected by authentication procedures that require identification specific to each user and are at a level commensurate with the identified risk. Wherever possible, data of a confidential or sensitive nature should be kept on on-site systems, and users who need to access this data from outside the collegiate University should do so by secured network access. Wherever possible all data transfers should be made by an appropriately secure network connection.
For more detailed guidance please see the following:
- Access Control Policies
- Identification and Authentication
- Remote Access
- Length of Sessions
- Multi-user systems
- Authentication of network devices and other equipment
- Access for system administrators
- Password Management
Up: Contents Previous: 4. Network Management Next: 6. User Management