OK, fine, so what would that actually look like, in practice?
Before reading on, think about that for a moment.
Imagine if you were tasked to draft an access control policy, what would it cover?
What form would it take?
How would you even start?
How about something along these lines, for starters:
Policy axioms (guiding principles)
A. Access to corporate information assets by workers should be permitted by default unless there is a legitimate need to restrict it.
B. Access to corporate information assets by third-parties should be restricted by default unless there is a legitimate need to permit it.
- User identification and authentication is necessary to prevent access being granted to the wrong people, or withheld inappropriately from the right ones.
- IT systems privileges that are needed to override access controls for legitimate administrative purposes (such as backups) should only be granted to competent, trustworthy workers.
- And others. One of the key challenges of writing policies in any field as complex as information risk and security is to ensure that all the essentials are covered with as few gaps, overlaps and especially conflicts as possible. I'll have more to say about that towards the end of this blog series.