Article Summary
Access control is the mechanism by which an organisation translates its information security principles into operational reality. This article covers the four core principles — least privilege, segregation of duties, authentication, and accountability — how access control requirements differ across data centres, banks, government facilities, hospitals, and small businesses, what the policy must contain in each area, and a sample policy structure.
Why This Policy Exists
Access control is the mechanism by which an organisation translates its information security principles into operational reality. It is the difference between an organisation that says only authorised people can access sensitive information and an organisation that can demonstrate it. Every breach investigation that has ever been conducted finds access control failures at or near the root cause.
Accounts with excessive privileges. Credentials that were not revoked when an employee left. Systems accessible from the internet that should have been internal only. Shared accounts that make accountability impossible. Access control failures are not exotic. They are common, predictable, and preventable.
The Access Control Policy exists to establish the organisation's requirements for managing who can access what, under what conditions, through what mechanisms, and with what level of accountability. CISM's risk management domain is explicit that access control is one of the primary mechanisms for reducing information security risk to an acceptable level.
How the Policy Is Derived
The Access Control Policy is derived from the Information Security Policy's principle that access to information must be restricted to authorised individuals based on a legitimate business need. The specific requirements are informed by the organisation's risk assessment, its data classification scheme, its regulatory obligations, and the specific access risks present in its technology environment.
An organisation that processes payment card data derives specific access control requirements from PCI DSS, which mandates least privilege access, individual accountability for all access to cardholder data, and strict controls on remote access. An organisation subject to GDPR derives access control requirements from the regulation's requirement to implement appropriate technical measures to protect personal data. These regulatory requirements do not create separate access control policies. They add specific requirements to the single Access Control Policy the organisation maintains.
The Core Principles of Access Control
How Access Control Differs by Organisation and Environment
Data Centre
Access control applies at multiple layers simultaneously. Physical access to server rooms is controlled through card readers, biometric scanners, and mantrap entry. Logical access uses privileged access management solutions and jump servers. Remote access to management systems requires MFA over encrypted connections. The policy must address both physical and logical layers explicitly.
Bank or Financial Institution
Teller systems, trading platforms, payment processing, and customer databases all require granular role-based access with individual accountability for every transaction. Financial sector regulators mandate strict controls on privileged access, comprehensive audit logging of all access to customer financial data, and formal access review processes. Access to trading systems requires additional controls to prevent insider trading.
Government Facility
Personnel security clearance levels determine access to classified information, and the access control policy must integrate with the national clearance scheme. Physical access to secure areas requires clearance verification as well as authentication. The principle of need-to-know is applied more rigorously than in commercial environments — a cleared individual can only access classified information they have a specific, documented need to access for their current assignment.
Hospital
Must balance strict access control for patient data with the operational reality that clinical staff need rapid, reliable access in time-critical situations. An emergency physician treating an unconscious patient cannot wait for an access provisioning process to complete. The policy must address break-glass procedures with full audit logging and mandatory post-access review — a requirement unique to the healthcare environment.
Small Business
Cannot implement a full privileged access management platform or dedicated identity governance solution. The policy must reflect realistic implementation. Strong passwords enforced through the directory service, MFA for remote access and email, regular access reviews by managers, and prompt revocation on employee departure are achievable and represent a significant risk reduction without requiring enterprise tooling.
Cloud-First Organisation
Traditional network perimeter no longer provides meaningful access control. Identity becomes the primary perimeter. The policy must address cloud identity and access management, federation with on-premises directories, service account governance, and the management of API keys and secrets. Just-in-time access models — where privileged access is granted for a defined task window and automatically revoked — are particularly important in cloud environments.
What the Policy Must Contain and Why
| Requirement Area | What the Policy Establishes | Why It Matters |
|---|---|---|
| Access Provisioning | All access requests must be formally submitted with business justification, approved by the relevant system or data owner, and granted in accordance with least privilege. | Informal provisioning creates access rights that are not documented, not reviewed, and often not revoked when the employee moves to a different role. |
| Access Review | Access rights reviewed at least annually for standard users, at least quarterly for privileged accounts. Conducted by system owners and line managers, not the IT function alone. | Access rights accumulate over time as employees change roles. Without periodic review, the least privilege principle erodes continuously from the day access is first granted. |
| Access Revocation | Access revoked on the user's last day of employment. Covers all systems including those managed by third parties. Confirmed through a formal offboarding checklist. For high-risk departures, revocation completes before the employee is notified. | Access remaining active after an employee departs is a significant security risk, particularly for employees who left under difficult circumstances. |
| Privileged Access | Privileged accounts separate from regular user accounts. Granted only when operationally required. All sessions logged. Reviewed quarterly. Shared privileged accounts prohibited. | Privileged accounts can access, modify, or delete vast amounts of organisational data. They are high-value targets for attackers and high-risk accounts from an insider threat perspective. |
| Authentication | MFA mandatory for all remote access, all access to Confidential or Restricted data, and all privileged access. Specific requirements defined in the Authentication Standard. | Passwords alone are insufficient against modern attack methods. MFA prevents credential-only attacks from succeeding even when credentials have been compromised. |
| Remote Access | All remote access uses encrypted connections over approved solutions. MFA mandatory. Access from unmanaged personal devices to sensitive systems prohibited unless specifically approved. | Remote access has become standard operationally but significantly expands the attack surface. Controls must expand with it. |
Sample Access Control Policy Structure
1. Purpose
This policy establishes [Organisation Name]'s requirements for controlling access to information systems, applications, and data. It defines the principles, mechanisms, and processes by which access rights are granted, maintained, reviewed, and revoked, with the objective of ensuring that access to information is restricted to authorised individuals with a legitimate business need, in proportion to their role and responsibilities.
2. Scope
This policy applies to all information systems, applications, databases, and physical facilities owned or operated by [Organisation Name] or processing [Organisation Name] data on its behalf. It applies to all employees, contractors, consultants, and third parties who require access, regardless of location or access method.
3. Access Control Principles
Least Privilege: users receive only the access rights required for their assigned job functions. Segregation of Duties: critical functions are divided between individuals to prevent any single person completing a high-risk transaction without oversight. Individual Accountability: all access activity is attributable to a specific named individual. Shared or generic accounts are not permitted for systems processing Confidential or Restricted information. Need to Know: access to sensitive information is further restricted to individuals with a specific, documented business need, even within their authorised role.
4–13. Provisioning, Review, Revocation, Privileged Access, Authentication, Remote Access, Physical Access, Regulatory Alignment, Exceptions, Related Documents
All access requests submitted formally with business justification and approved by system or data owner. Access rights reviewed annually for standard users and quarterly for privileged accounts. Access revoked on last day of employment across all systems. Privileged accounts separate, logged, and reviewed quarterly — shared privileged accounts prohibited. MFA mandatory for remote access, sensitive data access, and all privileged access. Remote access encrypted; unmanaged devices prohibited for sensitive systems. Physical access controlled through approved mechanisms with logs retained per regulatory requirements. Regulatory alignment with PCI DSS, GDPR, and applicable sector regulations. Exceptions require CISO approval, documented risk assessment, and annual review.