Access control policy

Purpose

The objective of this policy is to minimise accidental or unauthorised access to council and/or partner connected systems, networks, applications, and information. It is applicable to all forms of logical access.

This document supports the council’s Information Security Management System Policy and Code of Conduct for council staff. It provides direction and support for the implementation of information security and is designed to help council employees carry out the business of the council in a secure manner. By complying with this policy, the risks facing the council are minimised.

Introduction

Individuals who are not explicitly granted access to council information or information systems are prohibited from using such systems.

Individuals employed by or under contract to the council shall be granted access only to information and information systems that are required to fulfil their duties.

Access will be granted only to those staff who have formally agreed to comply with the council’s Information Security Policy and have signed the council’s Code of Conduct (for council employee’s) or a confidentiality/non-disclosure agreement (agency workers).

This policy applies to:

The policy is not designed to be obstructive. If you believe that any element of this policy hinders or prevents you from carrying out your duties, please contact the council's Digital Services (DS) Service Desk.

This policy should be read in conjunction with the following documents:

Physical access control

Control of entry into council buildings, sites and locations is important for the security of the council’s information systems (both computerised and manual) and its employees.

Appropriate entry controls must be provided to ensure that only authorised employees are allowed access. This is best achieved through the use of an electronic ID card/pass system or the use of a signing in book where electronic control is not possible. Access control must be rigidly enforced in buildings and areas housing sensitive information assets.

In buildings where IT facilities are located and where there is public access, special measures for access enforcement, particularly after normal office hours, must be taken.

For further details, please see the Physical and Environmental Security Policy.

DS operations and network access control

Access to information and information systems will be controlled on the basis of business and security requirements.

An access management process for every system/database must be created, documented, approved, enforced and communicated to all relevant employees and partner organisations.

Each business application run by, or on behalf of the council, will have a nominated system administrator who is responsible for managing and controlling access to the application and associated information.

Access to information must be based on 'need to know' and segregation of duties and roles. The appropriate information, system, database, or application owner is the only individual that can authorise a systems administrator to grant or update access via the formal access management process.

Audit must monitor the process to ensure that access control is appropriately implemented according to ‘business need to know’ and ‘segregation of duty and role’ principles.

Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

Access control requirements are clearly defined, documented and maintained within an Access Policy Matrix, which specifies the rights of individuals or groups of users.

The council has adopted common Windows-based operating systems, and predefined user profiles will be maintained to restrict access. The matrix will be approved and reviewed by the data owner and occasionally reviewed by the Information Data and Governance Board to ensure consistency.

User access management

User access management covers all stages of user access, from initial registration, through changes in role, to deregistration and revocation of access.

The security of systems, networks, applications and databases is heavily dependent on the level of protection of user IDs, passwords, and other credentials that provide access to it. Hence, protecting the credentials that provide access to information is indirectly protecting the information.

Identification and authentication of users and systems enables the tracking of activities to be traced to the person responsible.

All employees shall have a unique identifier (user ID) for their personal and sole use. Shared, group and generic user IDs are not permitted unless they are used to access the intranet only. Employees must be educated that they are not permitted to allow their user ID to be used by anyone else. Employees must be made aware of this and how to store them.

A process must exist for issuing and revoking the user IDs. Redundant user accounts must be monitored and managed.

User registration

A process for user registration and granting access rights exists and includes:

Change of role

Where an employee changes role within the council the following process is followed:

A process must be in place for HR departments/officers to communicate transfers to system administrators.

Review of access rights

Line managers should review access lists to ensure they are still applicable. Necessary modifications must be sent to system administrators for correction, using the ‘Amend User Request’ as above.

The data owner must approve access rights prior to set up by the system administrator.

The system administrator does not have the authority to decide who should have access to what information. This is a business decision.

Removal of access

On resignation of employment, the worker's line managers, in conjunction with HR, will undertake a risk assessment and determine whether existing access rights of an individual should be reviewed and reduced whilst working out their notice. Hostile terminations must be communicated to system administrators immediately and access immediately disabled.

The manager must email HR using leavernotifications@enfield.gov.uk and include the name and the date that the worker intends to leave in the subject line. This should be completed within 7 calendar days of resignation, or immediately if a worker is leaving for other reasons.

Access rights should be disabled within 24 hours on the employee’s lasting working day.

If the leaver has been provided with any equipment and access to systems and buildings, it is important that all council assets are returned on the workers last working day and access to buildings and systems removed. Digital Services will notify the manager and worker of the digital assets that should be checked and returned.

It is the responsibility of line managers to ensure that leavers return their entry ID pass at the end of their last working day and to return it to Facilities Management for deactivation and prevent access to council's buildings.

It is important that all assets are returned to Digital Services on the workers last working day, or equipment must be returned within 5 days of that date.

Failure to submit leavers details to Digital Services within these timelines, or at all, may result in breaches of LBE’s Data Protection Policy.

Password management and multi-factor authentication

To identify users, usernames must require another access token in order to login. This can be a biometric, a time-sensitive generated password, a hardware token, a user-managed password or a combination of these.

Where practicable, system access should require more than one access token – multi-factor authentication (MFA). If MFA is in place, the password expiry rule below is not required.

All systems must use at least passwords for access. The following controls will be in place to ensure strong password management:

Privilege management

A process is in place for the allocation and removal of system administration level access or increased user privilege and includes the following controls:

Monitoring system access and use

Systems will be monitored to detect deviation from the Access Control Policy and record events to provide evidence in case of security incidents.

The application business owner/system administrator must establish the logging and monitoring requirements for business auditing purposes. Designated employees responsible for the following areas must establish the logging and monitoring requirements for the relevant purposes:

A process for capturing logging and monitoring requirements must be developed. Audit and event logs will need to be adequately secured, possibly centrally and separately from privileged-level employees (separation of duties). Tools may be required for log analysis.

Security of third-party access

See Third Party Access and Management Policy.

Access from overseas

Access to the council’s network from overseas is subject to additional controls to ensure compliance with relevant legislation and this will place additional personal liability on users. Please refer to the Acceptable Usage Policy for details.

DS equipment supplied by the council may only be taken to countries identified as having an assessment of adequate data protection by the ICO or the council. See ICO - A guide to international transfers.

Note that the above applies equally to council owned devices and personal devices with ability to access council data (BYOD).

There is an approval process for users who wish to work overseas. Users must seek formal approval using the approval process prior to working overseas, see the smart working policy on staff intranet.

Access to secure areas

All network equipment (including, but not limited to WAN service termination equipment, routers, switches, cabling patch panels) will be kept in appropriate locked facilities whenever practicable. All network equipment outside of designated communication rooms must be kept securely. Staff must ensure that communications cabinet and communications room doors are secured when they are left unattended. All keys must be limited to staff who need them to carry out their duties. If any key is lost or mislaid, or any door found unlocked, then this must be reported immediately as a security incident to DS Service Desk.

All physical servers must be kept physically secure in an area for authorised individuals only. A process of allocating and monitoring access to server rooms must be implemented - this may include electronic access control or the use of signing in books as appropriate.

For cloud servers and services, the supplier must have a suitable Cloud Security Assessment (see Use of Cloud Services Security Policy).

For further information see the Physical and Environmental Security Policy.

Policy compliance

The council requires that all employees comply with the directives presented within this policy. This policy will be included within the Information Security Internal Audit Programme, and compliance checks will take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

In such cases, the staff member concerned must take the following action:

In addition, the DS Security Analyst maintains a list of known exceptions and non-conformities to the policy. This list contains:

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:

Any violation or non-compliance with this policy may be treated as serious misconduct.

Penalties may include termination of employment or contractual arrangements, civil or criminal prosecution.


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 4.6
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Draft
Date of first issue – 16.01.2008
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up