Access Control

• Site conducted

• Conducted on

  Date

• Prepared by

• Location
  Address

Access control. Objective: To limit access to information and information processing facilities.

• Access control policy. Is an access control policy established, documented and reviewed based on business and information security requirements.<br>

  Yes

  No

  N/A

• Access to networks and network services. Are users only be provided with access to the network and network services that they have been specifically authorised to use<br>

  Yes

  No

  N/A

User access management. To ensure authorised user access and to prevent unauthorised access to systems and services.

• User registration and de­registration. Is a formal user registration and de­registration process shall be implemented to enable assignment of access rights.<br>

  Yes

  No

  N/A

• User access provisioning. Is a formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.<br>

  Yes

  No

  N/A

• Management of privileged access rights. Is the allocation of secret authentication information controlled through a formal management process.

  Yes

  No

  N/A

• Management of secret authentication information of users. Does management review users’ access rights at regular intervals using a formal process?

  Yes

  No

  N/A

• Review of user access rights. Do asset owners review users’ access rights at regular intervals

  Yes

  No

  N/A

• Removal or adjustment of access rights. Do the access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.<br>

  Yes

  No

  N/A

User responsibilities. To make users accountable for safeguarding their authentication information.

• Use of secret authentication information. Are users required to follow the organisation’s practices in the use of secret authentication information.<br>

  Yes

  No

  N/A

System and application access control. To prevent unauthorised access to systems and applications.

• Information access restriction. Is access to information and application system functions shall be restricted in accordance with the access control policy.

  Yes

  No

  N/A

• Secure log­on procedures. Where required by the access control policy, is access to systems and applications controlled by a secure log-on procedure.

  Yes

  No

  N/A

• Password management system. Are password management systems interactive and ensure quality passwords.

  Yes

  No

  N/A

• Use of privileged utility programs. Does the use of utility programs that might be capable of overriding system and application controls restricted and tightly controlled.<br>

  Yes

  No

  N/A

• Access control to program source code. Is access to program source code restricted.

  Yes

  No

  N/A