How to establish Logical Access for your Company

We all know that logical access is a very important control for any organisation, especially for companies that are having a lot of IT applications. Given below are some pointers in establishing a robust IT risk, logical access framework. These have been aligned to SSE / SOC Trust Service Principles.

1. Assets are assigned owners who are responsible for evaluating access
2. Online applications require customers to have ID and password. Requests for access to online applications require the matching of the customer ID against a list of privileges each user possesses when granted access to the system initially.
3. Systems are required to be implemented with unique user ID and password submission
4. External access to company network by employees is permitted only through a two factor authentication or through encrypted & authenticated means.
5. Privileged access to sensitive resources is restricted to defined user roles and access to these roles must be approved by the designated approver.
6. All access is given against approved access request (either paper or electronic)
7. System security is configured to require users to change their password upon initial sign-on and every 90 days thereafter.
8. Password complexity standards are established to enforce control over access control software passwords.
9. Account sharing is prohibited unless a variance from policy is granted in writing by the company’s designated officer.
10. Infrastructure and software is hardened and have a configuration that includes requirements for implementation of access control software.
11. Transmission of digital output beyond the boundary of the system occurs through the use of authorized software supporting the advanced encryption standard (AES).
12. VPN, SSL, secure file transfer program (SFTP), and other encryption technologies are used for defined points of connectivity and to protect communications between the processing center and users connecting to the processing center from within or external to customer networks.
13. Storage for key workstations and laptops is encrypted. Removable media for workstations and laptops are encrypted
14. Access to data is restricted to authorized applications through access control software. Access rules are created and maintained by information security personnel during the application development process.
15. Logical access to data other than through authorized application is restricted to administrators through database management system native security
16. Application security restricts output to approved roles or user IDs.
17. Backup media are encrypted during creation.
18. The ability to install software on workstations, laptops & other systems is restricted to IT support personnel.
19. A role based security process has been defined with an access control system that is required to use roles when possible.

Other Services of Interest

  • Celebrating 1 Year of GDPR - Webinars from Riskpro

    GDPR turns ONE on 25 May 2019. On this Anniversary, lets explore what the last 12 months meant for global companies as it relates to Data Protection and Privacy. Riskpro India has organised 6 GDPR...
  • Procurement Fraud - Riskpro can help

    If you suspect procurement fraud, do contact Riskpro India and we can help to unearth the suspicious activity. Following are some of the ways in which we can help. 1. Review of onboarding...
  • GDPR - Data Privacy Trainings - Six Webinar on GDPR Anniversary - Riskpro

    GDPR turns ONE on 25 May 2019. On this Anniversary, lets explore what the last 12 months meant for global companies as it relates to Data Protection and Privacy. Riskpro India has organised 6 GDPR...
  • HIPAA Awareness Training (Mandatory) - Riskpro India

    EVENT OVERVIEW: HIPAA stands for the Health Insurance Portability and Accountability Act and is a US regulation that deals with security measures for protecting patient’s medical records. Employees...
  • SEBI's Insider Trading Amendment - Free Webinar by Riskpro India

    Another important compliance topic that kicks off today. SEBI Amendment to Insider Trading Regulations. Join us for an hour to learn the important changes and how to deal with these. Register -...
  • Sox Training

    Our sox training covers the following points. 1. What is SOX? 2. The Act and its Sponsorors. 3. The background for bringing in this act. 4. Major Sections in the Act 5. Section 404 overview 6...
  • GDPR Countdown

    Riskpro is working hard so that clients can GDPR deadline as the clock ticks away.
  • EU-US Privacy Shield for Data Transfers

    Come GDPR (General Data Protection Act) and EU-US PRivacy shield will assume more importance. Privacy Shield Overview The Privacy Shield program, which is administered by the International Trade...
  • Reduce your GDPR implementation Costs - Hire GDPR Experts in India

    Reduce cost for GDPR Compliance - Remote Consulting from India GDPR readiness assessment and implementation can be costly. And time is short. Instead of paying premium fees to local GDPR consultants...
  • Go to top