The ICO exists to empower you through information.

Assign appropriate access rights to staff for processing personal information. 

Options to consider: 

  • Carry out background checks on new staff prior to employment (including direct employees, temporary staff and contractors), when it is applicable to their role and responsibilities.
  • Document in policy how you grant access rights to new starters.
  • Assess and document the requirements of each role to assign the correct access rights.
  • Document the process for granting access for temporary and contract staff.
  • Create role-based access profiles based on the requirement of each role. 
  • Use security classifications to assess which roles should have access to certain types of information.

 

Restrict access to sensitive confidential information or systems to roles which you have formally assessed as requiring privileged or higher level access. 

Options to consider: 

  • Document the process for assessing and assigning privileged access. 
  • Assign responsibility for granting privileged access to a senior member of staff. 
  • Maintain a list of all staff with privileged and administrator access. 
  • Carry out background checks or vetting on new staff prior to employment (including direct employees, temporary staff and contractors), when it is applicable to their role and responsibilities?
  • Promptly remove privileged access from staff when they no longer require it.
  • Training staff with privileged access.
  • Conduct audits of privileged accounts to ensure staff are not misusing access.
  • Segregate service accounts to avoid exfiltration (internally) (ie no access to web or email).

 

Review access rights regularly and adjust them if staff change role or responsibilities. 

Options to consider: 

  • Document the movers’ process and regularly check to confirm compliance. 
  • Keep records to demonstrate you review access rights and appropriately adjust them, if required.

 

Remove leavers’ access rights in a timely manner when their employment is terminated, including temporary and contract staff.

Options to consider: 

  • Document the leavers’ process and regularly check to confirm compliance. 
  • Keep records to demonstrate you remove access rights in a timely fashion. 
  • Assign end dates to access permissions, particularly for temporary role changes or when access isn’t needed permanently.
  • Ask managers to check and confirm that access rights are removed.

 

Ensure read and write access to source code, development tools or software is limited to authorised personnel only.

Options to consider: 

  • Restrict access to source code and development tools to staff who require regular access only.
  • Assign write access permissions to source code to privileged personnel or designated owners only. 
  • Use a source code management system or similar mechanism to control central storage of source code.
  • Restrict access to system design and specification documents that may contain information highlighting vulnerabilities
  • Restrict access to compilers and test platform environments.
  • Implement strict authentication requirements to source code, such as multi-factor authentication.
  • Allow source code to only be accessible on a separate network domain.
  • Document who has privileged access.

 

Use secure authentication technologies and hold staff accountable for safeguarding their authentication information. 

Options to consider: 

  • Develop a policy about using secure authentication information such as passwords, PINs and security answers. 
  • Use suitable authentication techniques to identify users, messages and software. 
  • Use multi-factor authentication when you require an enhanced level of security to protect personal information. 
  • Publish regular reminders for staff on the importance of keeping their authentication information secure.
  • Test how secure authentication information is by using password strength checkers and penetration testing.
  • Implement lockout mechanisms after a certain number of failed log in attempts.
  • Set expiration dates on passwords and send reminders to staff when their password is due to expire.
  • Assess the privacy implications and lawful basis for using biometric authentication as part of a DPIA.