Business Requirement for Access Control
Access Controls and Need to Know
CX Index will define and document access control rights and rules for each user or group of users. Service providers shall be given clear statements of the business requirements met by these access controls. Access to information and information services will only be given on the basis of business and security requirements.
Access will be given on a need to know basis, based upon the security requirements and business requirements of individual business applications. Access to information shall be provided in a manner that aims to protect the confidentiality and integrity of that information and without compromise to associated information or raw data. Data owners shall review access control rights for users and groups of users on a bi-annual basis to ensure that all access rights are authorised and remain appropriate, and that no unauthorised privileges have been gained
All forums where confidential information may be discussed and where non-CX Index employees are present shall be preceded by a determination that all parties are authorised to receive the information and the appropriate categorisation of that information.
Access will be given that is consistent with security levels and classifications, consistent with legislation and contractual obligations for confidentiality.
Access to standard common groups of users will be given standard access profiles.
Access rights in a networked environment will recognise all connection types available.
All users and groups of users shall receive a clear statement as to the access policy and as to the requirements met by these access controls.
Originators of confidential information shall decide who will be permitted to gain access to that information, and shall specify the uses for that information.
Administrator access to production systems will be limited to only those with a justified business requirement for such access. Developers and other application personnel will not have access to the underlying operating system on production systems, except in emergencies and then with access only granted for the time necessary. System administrators shall not have access to the applications if possible.
Types of Access Controls
CX Index will establish clear access control rules that distinguish between optional, express, discretionary, automatic and those that require approval.