Access Control Policy

Security Classification: Public
Version 2.0 (April 2025)

1.0 Access Control

1.1 Access Control Policy

Information owners are responsible for:

  • Reviewing the access control policy annually OR before implementing new or modified systems and applications.
  • Setting procedures for their information and information systems which follow this access control policy.
  • Authorizing access rights and privileges to users.

Information Owners and / or Information Custodians are responsible for documenting, managing, and periodically reviewing access controls to information and information systems under their control to ensure:

  • Access rights requests are authorized.
  • Access rights are restricted on a need to know and least privilege principles.
  • Access rights are roles based when technically feasible, i.e., permissions are assigned to roles rather than unique user identifiers.
  • Segregation of access control roles (for example, access requests, authorization, and administration)
  • Access rights are modified or removed based on business and security requirements.
  • Access to information and information systems is auditable based on access by user identifiers.
  • Access Control Policy is communicated to users through security awareness training

1.2 Access to Network and Network Services

Access to the information system network must be restricted to authorized users and systems using the principle of least privilege, as defined in the information systems access control policies.

Management Controls and Processes
Information Custodians must document processes for the management of network access, including:

  • Documentation and review of implemented network access controls.
  • Identification of threats, risks and mitigation factors associated with network services.
  • Testing of network access controls to verify correct implementation and security classification.
  • Assisting Information Owners to verify the principle of least privilege is used to minimize access, as specified in the Access Control Policy.

Information Custodians must define and implement:

  • Permitted network access methods for each network zone (for example, direct connection, VPN, dial up)
  • Utilize multi-factor authentication.
  • Minimum security controls required for connection to networks (for example, patch levels, anti-virus software, firewalls, user and system authentication requirements).

Cloud Services
The Information Custodian should ensure that access to information in a cloud service can be restricted in accordance with all provisions of the Access Control Policy and that such restrictions are realized.  This includes restricting access to cloud services, cloud service functions, and cloud service customer data maintained in the service.

1.3 Remote Access

Remote Access will only be granted when it meets the Remote Access Control Infrastructure Standard and / or the Remote Access Standard.

2.0 User Access Management

2.1 User Registration and De-Registration

Information owners must approve the granting or revoking of user access to all information systems based on a formal user registration and de-registration process.

Managers must:

  • Approve user access requests prior to access requests being authorized
  • Notify the User Access Owner or Custodian when an Information User role has changed, including duty reassignments, transfers, promotions, demotions, extended absences, or terminations.

2.2 User Access Provisioning

Information Owners and Information Custodians are responsible for the access provisioning process, including:

  • Obtaining authorization from the owner of the information system or service for the use of the information system or service, separate approval for access rights from Information Owners may also be appropriate.
  • Verifying that the level of access granted is appropriate to the access policies and is consistent with other requirements such as segregation of duties.
  • Ensuring that access rights are not activated before authorization procedures are completed.
  • Maintaining a central record of access rights granted to user IDs to access information systems and services.
  • Adapting access rights of users who have changed roles or jobs and immediately removing or blocking access rights of users who have left the organization.
  • Periodically reviewing access rights with owners of the information system or services.

2.3 Management of Privileged Access Rights

Information Owners and Information Custodians are responsible for the allocation of privileged access rights process and must be controlled through a formal authorization process.  The following steps must be considered:

  • The privileged access rights associated with each system or process (for example, operating system, database management system, cloud service, each application and the users to whom they need to be allocated should be identified).
  • Privileged access rights should be allocated to users on a need-to-use basis, and on an event-by-event basis, based on the minimum requirements for their functional roles.
  • An authorization process and a record of all privileges allocated should be maintained.  Privileged access rights should not be granted until the authorization process is complete.
  • Requirements for the expiry of privileged access rights should be defined.
  • The competences of users with privileged access rights should be reviewed regularly in order to verify if they are in line with their duties.
  • Specific procedures should be established and maintained in order to avoid the unauthorized use of generic administration user IDs, according to systems configuration capabilities.
  • For generic administration user IDs, the confidentiality of secret authentication information should be maintained when shared (for example, changing passwords frequently and as soon as possible when a privileged user leaves or changes jobs, communicating them among privileged users with appropriate mechanisms).

2.4 Management of Secret Authentication Information of Users

Information Owners and Information Custodians who are responsible for process allocation of secret authentication information must include the following requirements:

  • Users are required to maintain their own secret authentication information, they should be provided initially with secure temporary secret authentication information, which they are forced to change upon first use.
  • Procedures should be established to verify the identity of a user prior to providing new, replacement or temporary secret authentication information.
  • Temporary secret authentication information should be given to users in a secure manner using secure channels, such as Bitwarden. The use of external, unauthorized parties or unencrypted (clear text) electronic mail messages should be avoided.
  • Users should acknowledge receipt of secret authentication information.
  • Default vendor secret authentication information should be altered following installation of systems or software.

2.5 Review of User Access Rights

Information Owners must implement a formal process for the periodic review of user access rights.  Information Users should be granted minimum user access rights to perform their roles based on the need-to-know principle.

User access rights should be reviewed and reauthorized (or revoked as necessary):

  • Bi-Annually for user access, or more frequently depending on the value of the information asset
  • Quarterly for privileged user access
  • When a user role changes as a result of a promotion, demotion, transfer or other change that may affect access requirements.
  • When new systems and applications are deployed.

2.6 Removal or Adjustment of Access Rights

Access rights for information and assets associated with information processing facilities may be reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:

  • Whether the termination or change is initiated by the employee, the external party user, or by management, and the reason for termination.
  • The current responsibilities of the employee, external party user or any other user.
  • The value of the assets currently accessible.

3.0 User Responsibilities

3.1 Use of Secret Authentication Information

3.1.1 Temporary Password

Any user password that is provisioned should be changed at the initial logon.

3.1.2 Password Confidentiality

  • Users must keep passwords confidential.
  • Users must not share or reveal passwords.
  • An authorized user that shares or intentionally reveals his or her password is accountable for the unauthorized users’ actions.
  • When there is a need to share a password, consult the Compliance SME for your options.

3.1.3 Password Write Down

  • It is recommended that users do not write down their passwords.
  • If users choose to write down their passwords, they are responsible for storing their passwords in a secure manner (i.e. encrypted) to minimize the risk of disclosure.

3.1.4 Change Passwords after Disclosure

Users must immediately change their passwords that are suspected of being disclosed, or known to have been disclosed.

3.1.5 Password Difficult to Guess

  • Users must select passwords that are difficult to guess.
  • Users must not select passwords that are:
    • Words in a dictionary
    • KX business terms
    • Derivatives of user IDs
    • Common character sequences, such as “123456”
    • Personal details, such as spouses name, automobile license plate number, social insurance number, social security number, date of birth
    • Parts of speech such as proper names, geographical locations, common acronyms or slang

4.0 System and Application Access Control

4.1 Information Access Restriction

4.1.1 Information Access Controls

Information Owners and Information Custodians are responsible for ensuring the implementation of the Access Control Policy for their business applications.  Every information system must have an Access Control Policy which specifies access permissions for information and system functions.  The Access Control Policy must identify the information and system functions.  The Access Control Policy must identify the information and system functions accessible by various classes of users.

The application and information section of the Access Control Policy must specify:

  • The information to be controlled
  • The system functions to be controlled
  • The roles authorized to access the resources / information and what types of access are permitted (for example, create, read, update, write, delete, execute) based on business need

4.1.2 System Configuration

  • Information system access controls must be configurable to allow Information Custodians to modify access permissions without making code changes.
  • System utilities or functions that can bypass user access controls must be specified in the Access Control Policy.  Access to these utilities and functions must be restricted.

4.1.3 Publicly Accessible Information

Information which is publicly accessible must be segregated from non-public information.

4.1.4 Segregation of Sensitive Information Systems

Information Owners and Information Custodians must conduct an Assessment to determine the information system classification level. The information system classification level determines the controls beyond baseline standards which must be followed.

4.2 Secure Log-on Procedures

4.2.1 Information Displayed During Logon

Information Owners must ensure that Information Custodians configure logon processes to minimize the opportunity for unauthorized access.  This includes:

  • Not displaying details about backend systems (for example, operating system information, network details) prior to successful completion of the logon process to avoid providing an unauthorized user with any unnecessary assistance.
  • Displaying a general warning notice that the Information System be accessed only by authorized users.
  • Validating logon information only on completion of all input data.
  • Not displaying passwords in clear text as they are entered.

4.2.2 Unsuccessful Logon Attempts

Information Owners must ensure that Information Custodians configure logon processes to:

  • Record unsuccessful logon attempts
  • Allow a limited number of unsuccessful logon attempts
  • Limit the maximum and minimum time allowed for the logon procedure.  If exceeded, the system should terminate the logon.
  • Force a time delay or reject further logon attempts if the limited number of consecutive unsuccessful long attempts is reached.

4.2.3 Password Transmission

Information Owners and Information Custodians must ensure logon processes are configured to prevent transmission of passwords in clear text.

4.3 Password Management Systems

A password management system must be able to apply the Password Management Standard.

  • Enforce the use of individual user IDs and passwords to maintain accountability
  • Allow users to select and change their own passwords and include a confirmation procedure to allow for input errors.
  • Enforce a choice of quality passwords.
  • Force users to change their passwords at the first logon.
  • Enforce regular password changes.
  • Maintain a record of previously used passwords and prevent re-use.
  • Not display passwords on the screen when being entered.
  • Store password files separately from application system data.
  • Store and transmit passwords in protected form.

4.4 Use of Privileged Utilities Programs

Information Owners and Information Custodians must restrict access to system utility programs by:

  • Defining and documenting authorization levels
  • Restricting the number of users with access to system utility programs.
  • Annually reviewing the status of users with access to system utility programs.
  • Requiring secure logon process.
  • Identify system utility programs in use and log usage.
  • Segregating system utilities from application software.
  • Removing or disabling redundant or obsolete system utilities and system software.

4.5 Access Control to Program Source Code

Information Owners and Information Custodians must implement procedures to control access to program source code, program source libraries, and related documentation for information systems by:

  • Restricting access by privileged users on a need to access basis.
  • Authorizing modifications to program source libraries, and related documentation.
  • Ensuring change control procedures are followed when maintaining and copying program source libraries.
  • Maintaining access audit logs
  • Using a controlled central repository for storing program source code and libraries that is isolated from operational information systems.
  • Securely protecting and storing media containing program source code, program source libraries, and related documentation.