S 5.10 Restrictive granting of access rights

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Access rights to data held on the hard disk of the network server must be allocated on a restrictive basis: Each user will be authorised to have access only to those files needed for the performance of his tasks. In turn, the access rights will be confined to the required type of access.(See also S 2.5 Division of responsibilities and separation of functions, S 2.7 Granting of (system/network) access rights and S 2.8 Granting of (application/data) access permissions). (On this point, see also S 2.5 Division of responsibilities and separation of functions, S 2.7 Granting of system/network access authorisations and S 2.8 Granting of (application/data) access rights) Thus, for instance, it will very rarely be necessary to grant write access to programme files.

In most cases, it is possible to have access to files in sub-directories if such rights exist for parent directories (inheritance). This implies that access rights at the highest level (volume level) should be granted only on a very restrictive basis. Particularly when installing new software products, the granting of rights should be revised.

If the PCs are provided with floppy disk drives, particular importance should be attached to the restrictive allocation of rights.

If little storage space is provided on a network server, the maximum memory capacity which a user may occupy on the network server can be restricted (disk quota).

Additional controls:

• Is it possible, on the basis of the documentation on the rights structure, to verify that only the minimum rights required have been granted?