When personnel are granted temporary access to a system, effective controls are put in place to restrict their access to only data required for them to undertake their duties.
Topic
Temporary access to systems
Applicable to
all
History
Priority
must
Jun 2022
When personnel are granted temporary access to a system, effective controls are put in place to restrict their access to only data required for them to undertake their duties.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content. This included the adoption of ‘control’ terminology, in preference to ‘security control’ terminology, to allow for the capture of other types of controls in the future, such as privacy controls, in addition to security controls.
In addition, formatting changes were made to the system security plan annex template and the cloud controls matrix template in order to increase their alignment, such as the inclusion of an ‘implementation status’ column within the system security plan annex template. Furthermore, a new ‘responsible entity’ column was added to both templates in order to capture information on the responsible system (in the case of inherited controls) or responsible vendor (in the case of multi-vendor systems) that are responsible for the implementation of controls. Note, this column can also be used to capture information on teams or individuals that are responsible for the implementation of controls if desired.
Sep 2019
When personnel are granted temporary access to a system, effective security controls are put in place to restrict their access to only information required for them to undertake their duties.
Security control 0441 was modified to focus primarily on the use of security controls to restrict access to information.
Aug 2019
When personnel are granted temporary access to a system, effective security controls are in place to restrict their access to only information that is necessary to undertake their duties, or they are continually supervised by another user who has the appropriate security clearance to access the system.
2015
Agencies granting personnel temporary access to a system must ensure that either:• effective controls are in place to restrict access to only information that is necessary toundertake their duties• they are continually supervised by another user who has the appropriate security clearancesto access the system.
2010
Agencies granting limited higher access to a system must ensure that either:• effective controls are in place to restrict access to only information that is necessary to undertake thesystem user’s duties• the system user is continually supervised by another system user who has the appropriate securityclearances to access the system.
2008
Agencies granting limited higher access to a system must ensure: a. effective ICT security controls are in place to restrict access to only security classified information that is necessary to undertake the system user’s duties or b. the system user is continually supervised by another system user who has the appropriate security clearances to access the system.