One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 3504314 |
| Date de publication | 2021-10-12 19:44:00 (vue: 2021-10-12 08:05:19) |
| Titre | Topic-specific policy 1/11: access control |
| Texte | Clause 5.1 of the forthcoming new 2022 edition of ISO/IEC 27002 recommends having a topic-specific information security policy on "access control". OK, fine, so what would that actually look like, in practice?Before reading on, think about that for a moment. Imagine if you were tasked to draft an access control policy, what would it cover? What form would it take?How would you even start? How about something along these lines, for starters: What is access control intended to achieve? In about half a page, the background section explains the rationale for controlling access to assets (meaning valuable things such as information in various forms, including but more than just digital data).The policy goes on to state that, whereas access to information should be restricted where necessary, access by workers should be permitted by default unless there are legitimate reasons to restrict it. In other words, a liberal approach that releases information for use unless it needs to be restricted for some reason ... which in turn begs questions about what are those legitimate reasons? Who decides and on what basis?The alternative approach is to restrict access to assets by default unless there sound reasons to permit access, begging the same questions.The template policy takes both approaches, in the form of these complementary 'policy axioms':Policy axioms (guiding principles) [if !supportLists]-->A. Access to corporate information assets by workers should be permitted by default unless there is a legitimate need to restrict it. [if !supportLists]-->B. Access to corporate information assets by third-parties should be restricted by default unless there is a legitimate need to permit it. The idea is that, generally speaking, "workers" (which is defined elsewhere to include employees on the organization's payroll - staff and managers - plus third party employees and others such as interns, temps and consultants working for and on behalf of the organisation, under its co |
| Envoyé | Oui |
| Condensat | $20 access and if it the you 1/11: 2½ 2022 27002 :policy about accept access achieve actually administrative admittedly all allow along also alternative any approach approaches are are not as the assets associated assurance auditing authentication axioms background backups based basis before begging begs behalf being blog both briefly but carefully challenges chances classed clause competent competitors complementary complex compliance complying comprising conflicts consultants control controlling controls conversely corporate cover covered crafted customise data decades decides default defined denied digital discussion document documentation download draft edition either eleven elsewhere emphasising employees end ensure entire especially essentials even example:user examples exceptions experience explains field fine form formal forms forthcoming from gaps general generally generic goes granted granting guiding hackers half have having how idea identification imagine implement inappropriately include including increasing information intended interested interns intrigues iso/iec its jobs just key know legally legitimate liberal like lines look managers may meaning moment more necessary need needed needs new next one ones only organisation organization other others overlaps override ownership page pages parties party payroll people permit permitted personal piece plus policies policy possible practice prevent principles privileges professional public purposes questions rationale read reading ready reason reasons recommends related releases remainder requests required responsibilities restrict restricted restricting right risk same questions say says secaware second secrets section security series should some something sound speaking specific staff start starters:what state statements states subject such suggested summary supportlists systems take takes takes both tasked template temps than these things think third those through the tomorrow topic towards trade trustworthy tune turn under understand unless use valuable various want way website what where whereas which who withheld word words workers working worth would writing wrong yours |
| Tags | |
| Stories | APT 17 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.