Access Control Policy: Template & Best Practices
An access control policy is the rule book an organization writes to determine who is allowed in. It lists both authorized groups and the controls enforced to prevent unauthorized access โ from password policies to on/offboarding procedures and privilege audits. Your access control policy informs how to assign, review, update and revoke access in your organization. Read our guide to learn which topics an access control policy should cover and how to write your own access control policy!
What Is an Access Control Policy?
An access control policy is a document that outlines how an organization controls access to its physical and digital information assets. The policy ensures that day-to-day operations meet the organization’s security and compliance requirements. To this end, an access control policy serves two basic functions:
To establish who is authorized to access which assets and resources.
To define which security controls must be followed to prevent unauthorized access.
Effective access control relies on technical safeguards as well as administrative procedures and decisions. A written access control policy ensures that all stakeholders are aware of the rules governing how the organization manages access for staff, guests, business partners and others.
Physical vs. Logical Access Control
Access control can be broken down into two areas:
Physical access control ensures that only authorized individuals can enter the organization’s premises and any sensitive areas. It covers safeguards such as front desks, visitor logs or key cards for restricted areas.
Logical access control restricts who can access information systems and digital resources. This includes controls such as secure authentication, account lifecycle management and user access reviews.
Depending on the needs of the organization, both aspects can be combined into one policy or physical and logical access control can be split into separate policies, allowing them to more easily be updated and revised.
Types of Access Control
When it comes to IT systems, there are 4 different access control models that reflect different approaches to how access is granted and updated.
Mandatory Access Control (MAC): Under the Mandatory Access Control model, only a central authority such as the system administrator can grant access. This makes MAC highly secure, but also inflexible and difficult to manage.
Discretionary Access Control (DAC): Discretionary Access Control gives users some agency in managing access. For example, a resource owner could grant others View or Edit rights for a file they control (similar to inviting other users into a shared cloud document). By allowing for some delegation, DAC is a more flexible approach to access control.
Role-Based Access Control (RBAC): Instead of assigning access individually for each user, role-based access control groups users with similar requirements and grants them access based on their role, such as their position or department. This streamlines governance and enables automated user lifecycle management. However, user role and permission design must be completed before RBAC can be used.
Attribute-Based Access Control (ABAC): Attribute or Rule-Based Access Control determines access dynamically based on various factors, such as who is making a request and the type of resource being opened. Full use of this approach requires extensive tagging and categorization of information assets, making it challenging to implement.
Read our article on the topic to learn more about these 4 Types of Access Control.
Why Do I Need an Access Control Policy?
To prevent data theft, data breaches and insider threats, it is essential for organizations to control access to IT resources. There are many steps involved in protecting business-critical information, from multi-factor authentication to accurate provisioning and deprovisioning and regular access reviews.
An access control policy is necessary to guide your security efforts, track the implementation of technical & organizational controls and ensure that everyone understands and follows the rules. Additionally, the policy also governs who is responsible for enforcing, reviewing and updating different controls.
Is an Access Control Policy Mandatory?
An access control policy is a must-have if your organization is required to comply with frameworks such as NIST 800-53 / 800-171 or follows voluntary security standards like ISO 27001. Many regulations and standards require access control policies as part of their overall security program.
Access Control Policy for ISO 27001
ISO 27001 is a widely used security standard that lays out how to build an effective information security management system (ISMS). As part of this framework, organizations also need to implement strict access controls (section 5.15).
Requirements for ISO 27001 include managing access rights, restricting privileged access, segregation of duties, a formal authorization process for access requests, logging access rights and regular user access reviews. As with every ISO 27001 control, implementation must be governed through a topic-specific policy, i.e. an access control policy.
Learn more about ISO 27001 requirements in our compliance guide.
ISO 27001: Access Governance Requirements
Everything you need to know about the IAM requirements of ISO 27001.
Access Control Policy for NIST 800-53 & NIST 800-171
Organizations that work with controlled unclassified information (CUI), such as government contractors, fall under either NIST 800-53 or NIST 800-171. NIST 800-53 applies to federal networks, while 800-171 covers nonfederal entities. However, both include the same 20 control families.
As part of their NIST compliance, entities must develop a system security plan as well as policies for each control family, which includes access control. These policies must satisfy the security requirements for protecting CUI.
NIST Access Control Requirements:
Account Management: Define allowed and prohibited system accounts, manage accounts based on policy, specify group/role memberships and privileges for each account, authorize only intended system usage and disable accounts once expired, inactive or no longer required.
Separation of Duties (SOD): Identify duties requiring separation and assign authorizations according to this requirement. Divide mission functions and support functions, as well as control functions and audit functions.
Least Privilege: Allow only access necessary to accomplish assigned organizational tasks. Review privileges assigned to users to validate the need for access. Reassign or remove privileges as necessary.
Session Termination: Terminate user sessions automatically after a predefined amount of time.
Device Lock: Prevent unauthorized access to devices by locking the device after a predefined time period and requiring users to lock the device before leaving it unattended. Retain device lock until an authorized user re-establishes access.
Account Lockout: Enforce a limit of consecutive invalid logon attempts and automatically lock the account, notify system administrator (or take other action) when the maximum number of attempts is exceeded.
Remote Access: Establish usage restrictions, configuration and connection requirements for remote system access. Require authorization prior to establishing new remote connections. Route remote access through managed access points.
Mobile Devices: Establish usage restrictions, configuration and connection requirements for mobile devices. Implement encryption to protect CUI on mobile devices.
Sources:
NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-171: Protecting CUI in Nonfederal Systems and Organizations
NIST SP 800-192: Verification and Test Methods for Access Control Policies/Models
NIST IR 7316 Assessment of Access Control Systems
NIST-Compliant Access Control With tenfold
Download our compliance guide to learn which access control measures are required by the NIST CSF and SP 800 series โ and how tenfold helps you implement them!
How to Write an Access Control Policy
The challenge with writing your own access control policy is that there is no one-size-fits-all approach. What your access control policy should look like depends on many factors, from the size and structure of your org to the types of data you process and the information systems you use.
As a result, you need to write a policy that is specific to your organization and covers your unique setup and security needs. This process always begins with planning and information gathering: Identify the assets you need to protect, the groups of users that require access and the legal obligations you have to fulfil. From there, you can plan the controls that will help you achieve this target.
Which Topics Should My Access Control Policy Cover?
Which safety measures your access control policy should include depends on your organization’s security needs, which apps you use and which information assets you need to protect. However, here are some topics that are relevant to most orgs and should be included in your policy.
Topics to address in your access control policy:
Account provisioning
Multi-factor authentication
Password policies
Shared accounts
Guest users
Lifecycle management
Access requests
Principle of Least Privilege
Segregation of Duties
Logging of access rights
Access audits
Policy reviews & updates
Tip: It’s best to focus on high-level objectives for your access control policy. If necessary, you can supplement it with additional documents such as an onboarding playbook.
Access Control Policy Template
If you are writing your own access control policy and need some inspiration or an example document, you can download our access control policy template for a basic overview of the structure and contents of an access control policy.
Disclaimer: This template is only intended as a reference point and teaching tool. It is not meant to be used as is and is not sufficient to cover your security or compliance needs in its given form. Its structure and contents must be adapted to your organization and its specific requirements by a qualified individual.
Download Our Access Control Policy Template
Use our policy template as a starting point to create your own access control policy based on NIST and ISO requirements.
Access Control Policy: Step-by-Step Guide
Now that we have a basic idea of what an access control policy should look like and which topics it should cover, let’s examine how to create your own policy. This process can be broken down into five steps:
Inventory assets and IT systems: The first step to controlling access is understanding where your data lives. To achieve this, you need an accurate and up-to-date inventory of both information assets and the IT systems used to store and process them (hardware and software).
Group users based on access needs: Authorizing access individually for each person is not a tenable approach to access control, especially in larger organizations. Instead, identify groups of users with similar access needs, such as people working in the same department. You can use these groups to create permission roles and streamline governance.
Determine appropriate access: To minimize risk, your policy must follow the principle of least privilege. This means users should receive access only if it is necessary to accomplish their job duties. Determining which privileges are essential and which aren’t is a critical step in drafting your access control policy.
Create your access control policy: Based on the information you have gathered about assets, user groups and access needs, it is now time to create your access control policy. This document puts into writing who is allowed to access which resources and which safeguards must be followed to ensure appropriate access. It should also address organizational matters, such as who is responsible for implementing controls and maintaining the policy document.
Apply controls, update and revise: Even though your policy is now complete, that doesn’t mean you are finished. The last step is to put your policy into action by implementing the controls you have outlined and governing access for your users, guests and business partners in line with the new policy. Finally, your policy must be reviewed and updated regularly to ensure it stays accurate and remains an effective safeguard against access risks.
How Often Do I Need to Update My Access Control Policy
Your access control policy is not set in stone, but a living document that must be regularly reviewed and updated to account for changes in your organization or the security landscape.
As a general best practice, policies should be reviewed at least once a year as well as following significant changes to your organization or IT. For example, if you integrate a new application that stores sensitive data and that only certain users should access, this change should be reflected in your access control policy.
Putting Policy into Practice with Access Governance
An access control policy that only exists on paper achieves nothing. Once you have drafted your policy, the next step is to put your plan into action.
Aside from implementing technical safeguards like multi-factor authentication, this requires ongoing effort to administer access privileges according to your policy โ from correctly provisioning new users to regular access reviews and timely offboarding for exiting employees.
To complete these tasks with the speed and precision needed to protect your org from access risks, you need an automated solution for Identity Governance & Administration. Without an IGA platform, there is simply no way to ensure safe and appropriate access for hundreds of users across dozens of systems.
An IGA solution automatically provides new users with the exact privileges intended for their role. When an employee’s job changes, IGA dynamically updates access to match their changing duties. And when they leave your org, IGA ensures that access is swiftly revoked. Additionally, IGA provides a clear overview of effective access and the tools needed to conduct streamlined access reviews.
tenfold: IGA With Faster Time to Value
You’re looking for a way to put your access control policy into action โ without wasting months on setup?
Then you’re in luck: tenfold offers comprehensive Identity & Access Governance with out-of-the-box integration for your apps and IT systems, allowing it to be deployed in as little as two weeks. Experience the no-code advantage! Read our product overview or book a personal demo for more.