Access control policy

Purpose

The objective of this policy is to minimise accidental or unauthorised access to council and/or partner connected systems, networks, applications, and information. It is applicable to all forms of logical access.

This document supports the council’s Information Security Management System Policy and Code of Conduct for council staff. It provides direction and support for the implementation of information security and is designed to help council employees carry out the business of the council in a secure manner. By complying with this policy, the risks facing the council are minimised.

Introduction

Individuals who are not explicitly granted access to council information or information systems are prohibited from using such systems.

Individuals employed by or under contract to the council shall be granted access only to information and information systems that are required to fulfil their duties.

Access will be granted only to those staff who have formally agreed to comply with the council’s Information Security Policy and have signed the council’s Code of Conduct (for council employee’s) or a confidentiality/non-disclosure agreement (agency workers).

This policy applies to:

• all employees including temporary and agency workers, independent consultants and contractors.
• members
• third party organisations who require access to the council’s information systems and facilities should also be aware of the contents of this policy

The policy is not designed to be obstructive. If you believe that any element of this policy hinders or prevents you from carrying out your duties, please contact the council's Digital Services (DS) Service Desk.

This policy should be read in conjunction with the following documents:

• Acceptable Use Policy
• Information Classification and Handling Policy
• Physical and Environmental Security Policy
• Third Party Access Policy

Physical access control

Control of entry into council buildings, sites and locations is important for the security of the council’s information systems (both computerised and manual) and its employees.

Appropriate entry controls must be provided to ensure that only authorised employees are allowed access. This is best achieved through the use of an electronic ID card/pass system or the use of a signing in book where electronic control is not possible. Access control must be rigidly enforced in buildings and areas housing sensitive information assets.

In buildings where IT facilities are located and where there is public access, special measures for access enforcement, particularly after normal office hours, must be taken.

For further details, please see the Physical and Environmental Security Policy.

DS operations and network access control

Access to information and information systems will be controlled on the basis of business and security requirements.

An access management process for every system/database must be created, documented, approved, enforced and communicated to all relevant employees and partner organisations.

Each business application run by, or on behalf of the council, will have a nominated system administrator who is responsible for managing and controlling access to the application and associated information.

Access to information must be based on 'need to know' and segregation of duties and roles. The appropriate information, system, database, or application owner is the only individual that can authorise a systems administrator to grant or update access via the formal access management process.

Audit must monitor the process to ensure that access control is appropriately implemented according to ‘business need to know’ and ‘segregation of duty and role’ principles.

Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

Access control requirements are clearly defined, documented and maintained within an Access Policy Matrix, which specifies the rights of individuals or groups of users.

The council has adopted common Windows-based operating systems, and predefined user profiles will be maintained to restrict access. The matrix will be approved and reviewed by the data owner and occasionally reviewed by the Information Data and Governance Board to ensure consistency.

User access management

User access management covers all stages of user access, from initial registration, through changes in role, to deregistration and revocation of access.

The security of systems, networks, applications and databases is heavily dependent on the level of protection of user IDs, passwords, and other credentials that provide access to it. Hence, protecting the credentials that provide access to information is indirectly protecting the information.

Identification and authentication of users and systems enables the tracking of activities to be traced to the person responsible.

All employees shall have a unique identifier (user ID) for their personal and sole use. Shared, group and generic user IDs are not permitted unless they are used to access the intranet only. Employees must be educated that they are not permitted to allow their user ID to be used by anyone else. Employees must be made aware of this and how to store them.

A process must exist for issuing and revoking the user IDs. Redundant user accounts must be monitored and managed.

User registration

A process for user registration and granting access rights exists and includes:

• line managers request correct access controls for new users. A ‘New User Request’ should be completed using the council's Service Desk
• unique user IDs assigned so that access and modifications can be traced
• authorised users are aware of their responsibilities for the protection of information within the application and where applicable users sign an appropriate agreement
• ensuring access is granted once authorisation is obtained
• maintaining a record of all registered users

Change of role

Where an employee changes role within the council the following process is followed:

• Line Managers must inform all relevant information owners/system administrators of the names of employees that have transferred to different job/roles within 24 hours of transfer
• Information owners must review the transferee’s access rights to their systems to ensure that they are still valid
• Where relevant, an ‘Amend User Request’ should be completed by line managers using the council's Service Desk available on the staff intranet

A process must be in place for HR departments/officers to communicate transfers to system administrators.

Review of access rights

Line managers should review access lists to ensure they are still applicable. Necessary modifications must be sent to system administrators for correction, using the ‘Amend User Request’ as above.

The data owner must approve access rights prior to set up by the system administrator.

The system administrator does not have the authority to decide who should have access to what information. This is a business decision.

Removal of access

On resignation of employment, the worker's line managers, in conjunction with HR, will undertake a risk assessment and determine whether existing access rights of an individual should be reviewed and reduced whilst working out their notice. Hostile terminations must be communicated to system administrators immediately and access immediately disabled.

The manager must email HR using leavernotifications@enfield.gov.uk and include the name and the date that the worker intends to leave in the subject line. This should be completed within 7 calendar days of resignation, or immediately if a worker is leaving for other reasons.

Access rights should be disabled within 24 hours on the employee’s lasting working day.

If the leaver has been provided with any equipment and access to systems and buildings, it is important that all council assets are returned on the workers last working day and access to buildings and systems removed. Digital Services will notify the manager and worker of the digital assets that should be checked and returned.

It is the responsibility of line managers to ensure that leavers return their entry ID pass at the end of their last working day and to return it to Facilities Management for deactivation and prevent access to council's buildings.

It is important that all assets are returned to Digital Services on the workers last working day, or equipment must be returned within 5 days of that date.

Failure to submit leavers details to Digital Services within these timelines, or at all, may result in breaches of LBE’s Data Protection Policy.

Password management and multi-factor authentication

To identify users, usernames must require another access token in order to login. This can be a biometric, a time-sensitive generated password, a hardware token, a user-managed password or a combination of these.

Where practicable, system access should require more than one access token - multi-factor authentication (MFA). If MFA is in place, the password expiry rule below is not required.

All systems must use at least passwords for access. The following controls will be in place to ensure strong password management:

• Password length must be a minimum of 8 to 12 characters, and 15 characters for privileged accounts
• Where the software solution allows the password complexity will be as follows (or at minimum a combination containing at least three of the following conditions):
  • One numeric ( 0 1 2 3 4 5 6 7 8 9 )
  • One upper case ( A B C D E F G H I J K L M N O P Q R S T U V W X Y Z )
  • One lower case ( a b c d e f g h I j k l m n o p q r s t u v w x y z )
  • One special character ( * ! # . @ # $ % ^ & * , )
• The password will be changed every 60 days (where the application allows this to be enforced, otherwise users will be required to change the password manually). This rule is relaxed if MFA is in use
• Users should not repeat the same password within a cycle of 20 password changes
• When an invalid password is entered three times in a row, the system revokes user access and must be reset. In some systems, users can do this for themselves using validation such as messages to mobile or secret questions. In others, system administrators must validate the request before resetting the password. Passwords stored on a computer are encrypted and protected from unauthorised access or deletion.
• Passwords must not be displayed on screen at any time
• All default passwords must be changed following the installation of any new software or hardware
• Users can reset their own passwords in some systems, in others, only system administrators are permitted to reset passwords or assign new passwords
• New passwords and reset passwords are random and force immediate change after first login by the user. System administrators must ensure that they divulge new or reset passwords only to the authorised user of that ID.
• When it is known or suspected that a user ID has been compromised the system administrator must be immediately informed in order to have it revoked and the council's Service Desk informed so that an DS Security Incident can be logged
• System passwords, including administrator passwords that are used to access data that is required by the business, must be stored in secure locations such that in the advent of a business requirement the passwords can be recovered
• There is a process in place to allow for the prompt resetting of passwords
• Passwords should generally be chosen to follow NCSC current guidance

Privilege management

A process is in place for the allocation and removal of system administration level access or increased user privilege and includes the following controls:

• Every level of privilege within each application and the categories of staff to which they need to be allocated are identified and recorded
• Privileges are allocated to an individual as an event requires
• Authorisation is recorded for each allocated level of privilege and only granted once authorisation is obtained
• The development of system routines are identified and implemented to avoid the use of privileged access
• Privileges are assigned to a different user ID from those used for normal business use and where possible a log of increased user privilege is recorded

Monitoring system access and use

Systems will be monitored to detect deviation from the Access Control Policy and record events to provide evidence in case of security incidents.

The application business owner/system administrator must establish the logging and monitoring requirements for business auditing purposes. Designated employees responsible for the following areas must establish the logging and monitoring requirements for the relevant purposes:

• Security
• Incident investigations
• Audit
• Fraud
• Legal

A process for capturing logging and monitoring requirements must be developed. Audit and event logs will need to be adequately secured, possibly centrally and separately from privileged-level employees (separation of duties). Tools may be required for log analysis.

Security of third-party access

See Third Party Access and Management Policy.

Access from overseas

Access to the council’s network from overseas is subject to additional controls to ensure compliance with relevant legislation and this will place additional personal liability on users. Please refer to the Acceptable Usage Policy for details.

DS equipment supplied by the council may only be taken to countries identified as having an assessment of adequate data protection by the ICO or the council. See ICO - International transfers after the UK exit from the EU Implementation Period.

Note that the above applies equally to council owned devices and personal devices with ability to access council data (BYOD).

There is an approval process for users who wish to work overseas. Users must seek formal approval using the approval process prior to working overseas, see the smart working policy on staff intranet.

Access to secure areas

All network equipment (including, but not limited to WAN service termination equipment, routers, switches, cabling patch panels) will be kept in appropriate locked facilities whenever practicable. All network equipment outside of designated communication rooms must be kept securely. Staff must ensure that communications cabinet and communications room doors are secured when they are left unattended. All keys must be limited to staff who need them to carry out their duties. If any key is lost or mislaid, or any door found unlocked, then this must be reported immediately as a security incident to DS Service Desk.

All physical servers must be kept physically secure in an area for authorised individuals only. A process of allocating and monitoring access to server rooms must be implemented - this may include electronic access control or the use of signing in books as appropriate.

For cloud servers and services, the supplier must have a suitable Cloud Security Assessment (see Use of Cloud Services Security Policy).

For further information see the Physical and Environmental Security Policy.

Policy compliance

The council requires that all employees comply with the directives presented within this policy. This policy will be included within the Information Security Internal Audit Programme, and compliance checks will take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

• If complying with the policy would lead to physical harm or injury to a member of staff
• If complying with the policy would cause significant damage to the company’s reputation or ability to operate
• If an emergency arises

In such cases, the staff member concerned must take the following action:

• Ensure that their manager is aware of the situation and the action to be taken
• Ensure that the situation and the actions taken are recorded in as much detail as possible on a non-conformance report
• Ensure that the situation is reported to the LBE Service Desk as soon as possible.
• Failure to take these steps may result in disciplinary action

In addition, the DS Security Analyst maintains a list of known exceptions and non-conformities to the policy. This list contains:

• known breaches that are in the process of being rectified
• minor breaches that are not considered to be worth rectifying
• any situations to which the policy is not considered applicable

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:

• Any breach of policy statements or controls listed in this policy
• Unauthorised disclosure or viewing of confidential data or information belonging to the council or partner organisation
• Unauthorised changes to information, software or operating systems
• The use of hardware, software, communication networks and equipment, data or information for illicit purposes which may include violations of any law, regulation or reporting requirements of any law enforcement agency or government body
• The exposure of the council or partner organisation to actual or potential monetary loss through any compromise of security
• Any person who knows of or suspects a breach of this policy must report the facts immediately to the Information security officer or senior management

Any violation or non-compliance with this policy may be treated as serious misconduct.

Penalties may include termination of employment or contractual arrangements, civil or criminal prosecution.

Policy details

Author - Information Governance Manager
Owner - Information and Data Governance Board
Version - 4.6
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Draft
Date of first issue - 16.01.2008
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024