Topic

Recording authorisation for personnel to access systems

Applicable to

all

History

Priority

should

Sep 2023

A secure record is maintained for the life of each system covering the following for each user: • their user identification • their signed agreement to abide by usage policies for the system and its resources • who provided authorisation for their access • when their access was granted • the level of access that they were granted • when their access, and their level of access, was last reviewed • when their level of access was changed, and to what extent (if applicable) • when their access was withdrawn (if applicable).

The existing control relating to maintaining a secure record of authorisations for personnel to access systems was amended to include the retention of signed copies of agreements by personnel to abide by system usage policies.

2017

Agencies should:• maintain a secure record of:– all personnel authorised to access a system– their user identification– who provided the authorisation to access the system– when the authorisation was granted– when the access was last reviewed– when the access was removed.

Control Text Changed. No public explaination.

2015

Agencies should:• maintain a secure record of:– all personnel authorised to a system– their user identification– who provided the authorisation to access the system– when the authorisation was granted– when the access was reviewed– when the access was removed.

2010

Agencies should:• maintain a secure record of:– all authorised system users– their user identification– who provided the authorisation to access the system– when the authorisation was granted• maintain the record for the life of the system to which access is granted.

2008

Agencies should: a. maintain a secure record of: 1) all authorised system users 2) their user identification 3) who provided the authorisation to access the system 4) when the authorisation was granted b. maintain the record for the life of the system to which access is granted.