IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Organisation Remarks<br />

____________________________________________________________________ .........................................<br />

S 2.6 Granting of site access authorisations<br />

Initiation responsibility: Head of <strong>IT</strong> Section, <strong>IT</strong> Security Management<br />

Implementation responsibility: Head of Organisational Section; Head of<br />

<strong>Site</strong>/Bldg Technical Service<br />

Prior to granting access rights to persons, the rooms in a building requiring<br />

protection must be defined, e.g. office, data media archive, server room,<br />

operating room, machine-room, document archive, computing centre. <strong>The</strong><br />

protective requirements of a room must be determined on the basis of the <strong>IT</strong><br />

equipment kept in the given room, and by the need for protection of the <strong>IT</strong><br />

applications used and their set of information.<br />

Subsequently, it must be defined which person needs what access permissions<br />

for the performance of the assigned function. This must be done in compliance<br />

with the previously defined separation of functions (S 2.5 Division of<br />

responsibilities and separation of functions). Granting of unnecessary access<br />

permissions must be avoided.<br />

In order to minimise the number of persons authorised to have access to a<br />

room, the principle of separation of functions should also be observed in the<br />

use of <strong>IT</strong> facilities. Thus, separate storage of <strong>IT</strong> spare parts and data media<br />

will prevent unauthorised access by a maintenance engineer to data media.<br />

Access rights granted and withdrawn must be documented. In the event that a<br />

site access permission is withdrawn, it must be ensured that the means of site<br />

access is also withdrawn. In addition, it must be documented which conflicts<br />

have arisen when granting access rights to persons. Possible reasons for<br />

conflicts are: persons performing functions which, in terms of access<br />

authorisations, are opposed to the separation of functions, or which result from<br />

spatial requirements.<br />

For the control of entry permissions, either persons (entrance control staff,<br />

lock-up service), or technical devices (badge reader, lock) may be used (cf. S<br />

2.14 Key Management). Non-authorised persons (e.g. visitors) may be granted<br />

access to rooms requiring protection only in the presence of, or when<br />

accompanied by, authorised staff.<br />

Regulations concerning the granting/withdrawal of site access authorisations<br />

for employees of outside contractors must also be established.<br />

Additional controls:<br />

- Is documentation on the protective requirements of <strong>IT</strong> rooms in existence?<br />

- Is the documentation on rooms requiring protection, and on persons<br />

authorised to have access, being up-dated?<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!