Enterprise

Policy Name: Access Control Policy section Purpose The purpose of this policy is to define and document the business requirements for access to all sensitive areas, including facilities, the computing infrastructure, and data, as well as to establish controls to protect them. Policies should include clear statements and an outline of responsibilities in order to establish controls. Overview Access to information resources should be analyzed and kept to the minimum necessary to achieve business objectives. Each resource should be analyzed as should each user or group of users for access requirements and this analysis should be repeated each time a change in responsibilities occurs. Scope The scope of personnel this policy covers includes all personnel who 'own' applications and data as well as those in IT that administrate those applications and systems. The policy also covers those managers whorequire the use of the applications/data, so that defendable reasons for granting access can be presented. Policy The intent of the access security policy is to provide clearly defined and documented rules and rights for each user or group of users as well as service providers. The objective of this policy is to control access to information and information services based on business and security requirements. Policy details Access controls will be consistent with legislative, statutory, and contractual obligations of the organization. The access provided will be consistent with the security levels and classification policy. User groups will be established for those groups with similar access requirements and will be approved by the application/information owner. Revision: X1

Access controls will be consistent with legislative, statutory, and contractual obligations of the organization. All users and service providers will be required to acknowledge their compliance with access control policies for each application they are granted access to. List additional security statements below: Violation - Consquences section Consquences for failure to follow this policy: Employee support for our written IT security policies is a cornerstone for implementing and maintaining a security IT infrastructure. Consequences of failure to comply with IT Security policies may include: loss of access rights, verbal warnings, written warnings, discipline up to and including employment termination and/or prosecution. Report violations to: Violations to this IT Security policy will be immediately reported to the (Variables) IT Security Coordinator, violator's Manager, Department manager, Asset owner, Executive Management, Human Resources, Law Enforcement Authorities. Violations will be reported via: E-mail, IMs, phone, fax, paging, physically tracking down appropriate personal. Document control section Supporting Documents: Document1, Document2 N/a

This document supercedes: Written by (owner): Date written: Approval 1 by: Date approved: Approval 2 by: Date approved: Policy status: 0000-00-00 Not started 0000-00-00 0000-00-00

Date released: 0000-00-00