An Access Control Policy providing high-level guidance on the creation, use, and management of business access controls SHALL be implemented.
Access control is required throughout an organization to ensure the confidentiality, integrity, and availability of company resources are upheld. Access controls apply not just to digital resources, but physical ones as well. Without an Access Control Policy explaining how access controls are applied and managed, businesses will often lose track of the subjects and objects that comprise their environment. This has the potential to cause privilege creep and increase the risk of compromise from threat actors. The access control policy should lay out the definition of access control as it applies to the business. In addition, it should describe the key principles and controls of the organization’s access control systems, such as the principle of least privilege, privileged access management, and universal multifactor authentication. The policy should also clearly define the responsibilities of all employees regarding managing their privileges and credentials. The access control policy should be reviewed and formalized by a combination of senior management and IT subject matter experts. Upon publication, the policy should be distributed to all employees and uploaded to digital platforms where company accounts will be accessed.