Access Control Template
Category: Access Control · Version: 2.0(Corbin Jay)Forma · Team: Policies & Procedures · Owner: fhsu_dude_2025
Updated 2025-12-01 12:48
Access Control Policy
Purpose
This policy explains how access to SOC and Data Center systems and spaces is managed. The goal is to ensure that only authorized individuals have the correct level of access so that systems remain secure.
Scope
Applies to:
- Employees
- Interns
- Contractors
- Third-party workers
- Anyone granted access to SOC or data center resources
Covers:
- Physical access: entering secure SOC or Data Center areas
- Digital access: logging into systems, applications, or network resources
Policy Rules
Principle of Least Privilege
Everyone should have only as much access as needed for their job — nothing more.
Access Based on Job Role
Access levels depend on a person’s role, such as:
- SOC Analysts
- System Administrators
- Network Administrators
- Security Engineers
- Data Center Operations Staff
- Management
Secure Login Requirements
- MFA required for all admin and remote access
- Strong passwords required
- Default passwords must be changed
- No shared accounts
Admin / Privileged Accounts
Privileged accounts must:
- Belong to a single user (no generic admin logins)
- Be used only for administrative tasks
- Have logging and monitoring enabled
Physical Access Control
To enter the SOC or Data Center:
- Badge access required
- Secondary authentication (PIN or biometric) required
- Visitors must be escorted
- Visits must be logged
Remote Access Rules
Remote access is only allowed using:
- Approved VPN
- Encrypted connections
- Approved devices
- Up-to-date cipher suites
Personal devices cannot be used unless an exception is approved.
Logging and Monitoring
We log:
- Badge-scanned entries
- System logins
- Account or permission changes
- Folder or data access
- System configuration changes
Suspicious access must generate alerts.
Reviewing Access
Access is reviewed:
- Every 6 months for regular users
- Every 3 months for admin-level users
- Anytime someone changes roles or departments
- Immediately when someone leaves the organization
Handling Unauthorized Access
If unauthorized access happens:
- Access is disabled immediately
- Security investigates
- Logs and evidence are reviewed
- Management is informed
Consequences for Violations
Possible consequences include:
- Loss of access rights
- Possible academic consequences
Exceptions
Exceptions must:
- Be documented
- Include a valid justification
- Be approved by SOC management
Policy Updates
This policy is reviewed at least once per year or when major changes occur in systems or roles.