Access control

Assign appropriate access rights to staff for processing personal information.

Carry out background checks on new staff prior to employment (including direct employees, temporary staff and contractors), when it is applicable to their role and responsibilities.

Document in policy how you grant access rights to new starters.
Assess and document the requirements of each role to assign the correct access rights.
Document the process for granting access for temporary and contract staff.
Create role-based access profiles based on the requirement of each role.

Use security classifications to assess which roles should have access to certain types of information.

Document the process for assessing and assigning privileged access.
Assign responsibility for granting privileged access to a senior member of staff.
Maintain a list of all staff with privileged and administrator access.
Carry out background checks or vetting on new staff prior to employment (including direct employees, temporary staff and contractors), when it is applicable to their role and responsibilities?
Promptly remove privileged access from staff when they no longer require it.
Training staff with privileged access.
Conduct audits of privileged accounts to ensure staff are not misusing access.
Segregate service accounts to avoid exfiltration (internally) (ie no access to web or email).

Keep records to demonstrate you review access rights and appropriately adjust them, if required.

Assign end dates to access permissions, particularly for temporary role changes or when access isn’t needed permanently.
Ask managers to check and confirm that access rights are removed.

Restrict access to source code and development tools to staff who require regular access only.

Assign write access permissions to source code to privileged personnel or designated owners only.
Use a source code management system or similar mechanism to control central storage of source code.

Restrict access to system design and specification documents that may contain information highlighting vulnerabilities
Restrict access to compilers and test platform environments.
Implement strict authentication requirements to source code, such as multi-factor authentication.
Allow source code to only be accessible on a separate network domain.
Document who has privileged access.

Develop a policy about using secure authentication information such as passwords, PINs and security answers.

Use suitable authentication techniques to identify users, messages and software.
Use multi-factor authentication when you require an enhanced level of security to protect personal information.

Publish regular reminders for staff on the importance of keeping their authentication information secure.
Test how secure authentication information is by using password strength checkers and penetration testing.
Implement lockout mechanisms after a certain number of failed log in attempts.
Set expiration dates on passwords and send reminders to staff when their password is due to expire.
Assess the privacy implications and lawful basis for using biometric authentication as part of a DPIA.