Requests for unprivileged access to systems, applications and data repositories are validated when first requested.
Topic
Unprivileged access to systems
Applicable to
all
History
Priority
must
Dec 2021
Requests for unprivileged access to systems, applications and data repositories are validated when first requested.
Miscellaneous changes were made to rationale and security controls throughout the publication. This included:
• A review from the Using the Information Security Manual chapter through to the Guidelines for Media chapter.
• Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.
• Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.
• Tables in security controls have been converted into prose to allow for inclusion in the SSP annex template and the XML list of security controls.
• The use of ‘official’ and ‘highly classified’ terminology has been replaced with specific classifications to remove ambiguity.
• Security controls relating to high assurance ICT equipment have had their applicability narrowed to ‘S, TS’ reflecting that they are intended for the protection of SECRET and TOP SECRET systems and data.
Sep 2019
Standard access to systems, applications and data repositories is validated when first requested and revalidated on an annual or more frequent basis.
Security controls 0405, 1503, 1507 and 1508 were modified to replace references to ‘information’ with ‘data repositories’ in order to align with language used by the Essential Eight mitigation strategies.
Aug 2019
Standard access to systems, applications and information is validated when first requested and revalidated on an annual or more frequent basis.
2015
Agencies must:• limit system access on a need–to–know basis• have any requests for access to a system authorised by the person’s manager• provide personnel with the least amount of privileges needed to undertake their duties• review system access and privileges at least annually and when personnel change roles• when reviewing access, ensure a response from the person’s manager confirming the needto access the system is still valid, otherwise access will be removed.
2010
Agencies must:••••92limit system access on a need-to-know basishave any requests for access to a system by personnel authorised by their supervisor or managerprovide system users with the least amount of privileges needed to undertake their dutieshave system access and privileges reassessed at regular intervals by the supervisor or manager ofthe system user, including when a change of duties occurs, and remove system access or privilegesif necessary.