Access Control Policy Best Practices

Implementing a strong access control policy is essential for maintaining security and compliance. Here are the key requirements and best practices for managing access control:

Regular Access Reviews

• Conduct periodic reviews of user access for all critical software

  • Quarterly or semi-annual review frequency recommended

  • Include all environments, not just production

Employee Onboarding/Offboarding

• Establish a documented process for managing access when employees join or leave

• Process should detail all required actions for granting or revoking access

• Can be managed through Bastion tool for automation and consistency

Authentication Requirements

• Multi-Factor Authentication (MFA) is mandatory for all critical systems

• Single Sign-On (SSO) is recommended where possible

• Avoid shared admin accounts - each user should have individual credentials

• When administrative accounts are necessary, ensure they have:

  • Proper logging enabled

  • MFA enabled