Access Control Policy Draft

Posted by cmayo012 on

Access Control Policy

General Overview: Research and Development must have access divided and specified for each user based on their responsibilities and duties in this division. To do so, all roles and responsibilities for each user should be identified and documented.

  • Implementation of Role-based Access Controls (RBAC)- granting access and permissions based on each user’s role to limit access to sensitive information.
  • Permissions and Access Levels are based on Group Policy, and requests for access and permissions are to be managed by the System Administrator or Account Management
  • Use of a strong and secure document management system, such as Microsoft SharePoint
  • Network Segmentation of Critical Assets and Systems with limited user access

Account Management Team

  • Defines and grants access levels and permissions to each user, primarily based on Group Policy
  • Each request for a change in a user’s permissions is to be approved and documented by Management Team Leads
  • Responsible for periodic auditing and access reviews
  • Creation and Termination of User Accounts

Research and Development

Separation of Duties:  Not every user should have access or control over specific processes and tasks. Data Management, Access to Intellectual Property, and other information systems related to Research and Development Tasks should be operated by different individuals.

  • Least Privilege: Each user must have defined permissions based on their task in Research and Development, and permissions should be updated AND documented weekly to fit the division’s needs.

Data Analytics

  • Data Sharing and Data Collection Tools and Software must be the secure versions and verified and approved in security and use by the Account Management Team.
  • All databases and file systems must be properly encrypted.
  • Data Sharing and Storage must be verified periodically to follow the applicable Federal Regulations including but not limited to the Virginia Consumer Data Protection Act and the General Data Protection Regulation (GDPR).

Finance

  • All Financial Data should be encrypted in storage and transit in accordance with standards including but not limited to the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI-DSS)
  • Access to Financial Documents will be delegated to a limited number of users.
  • Fund Transactions and Transfers must be verified and approved my at least one user in the Financial Division and one user in the Account Management Team.

Legal Compliance

  • Access to legal documents and payroll documents should be heavily restricted, and due to the sensitivity of the information, guest accounts on this group policy should be disabled.
  • Permissions and access to legal documents should be limited depending on possible case matters and involvement.

Human Resources

  • Modifying payroll documents need two users for approval and verification.
  • All users in the Human Resources Group are required to have periodic training on handling and maintaining of Legal documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *