Privileged Access Policy

Privileged Access Policy

HSBNE has a number of resources which are restricted in access in one way or another for various reasons. This policy does not include equipment requiring induction or supervision.

If a resource is restricted in its access, it must be listed in the Access Register, which is a living document that must record at minimum:

Items can be added, removed, modified on the access register at any time by executive, or by vote at a general meeting.

Some systems may have distinct levels of access which should be recorded as appropriate.

Notification

When a person is given access to a restricted resource they will be notified. When a person has restricted access removed, they will be notified which will include a reason for that removal. Notification may take any form, such as verbal or written.

There is no requirement for notification prior to access removal. However, it’s best practice in non hostile situations to notify beforehand. Notification after the fact must happen within 48 hours. System Change Control The decision maker listed for each resource is responsible for appropriate communication around access changes as they happen. The act of granting access can be performed by any person with ability once the decision has been made.

Password Control

Where access is controlled by shared accounts with single passwords, access will only be issued by providing the user with access to the password control and audit system used by HSBNE (currently 1password). When access is revoked to password control, accounts that user had access to should have their passwords updated.

Passwords are not to be issued out to people outside of the password control system. This is to keep our list of users who have access current, and to retain integrity of the audit features.

Record of Access

Where a system tracks current access (ie where we can see what users have access), that record is sufficient.

Any system where we cannot audit current access (such as a shared account not in password control) or it is difficult to audit access (Who has access to the Bank Account or is a representative for the Office of Fair Trading) must have a record kept within the Access Register. Where it is found that the record in these cases is out of date, all users should be revoked and issued anew.

The Executive

Unless executive roles are specifically named in the access register (i.e. Treasurer for HSBNE Net Banking), it is assumed that The Executive has blanket access to all resources.