IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.31 Documentation on Authorised Users and on
Rights Profiles
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
Such documentation serves to provide an overview of the authorised users,
user groups and rights profiles and is required for effective monitoring.
The following three means of providing documentation should all be used:
- generic administration files provided by the system,
- individual files administered by the responsible Administrator,
- hard copies.
In particular, the following should be documented:
- authorised users together with the following details: assigned rights profile
(plus any deviations from the standard rights profile used), reasons for
selecting that particular rights profile (plus any deviations, if applicable),
user contact details, date and reason for configuring this user, and any time
limits;
- authorised groups, together with details of the relevant users, date and
reason for configuration, plus any time limits.
The documentation regarding the authorised users and rights profiles should
be checked at regular intervals (at least every six months) to see whether it
reflects the actual situation regarding the granting of rights and whether the
assignment of rights still matches the security requirements and the current
tasks of the users.
Additional controls:
- Are there records of the authorised users and groups and their authorisation
profiles?
- Are the records up to date?
- When were the records last checked?
- Are the records adequately protected against unauthorised access?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000