Instances of access and use of any Information Technology resource should be automatically logged in the IT Access Control Log Template. ITSD106-3 ACCESS CONTROL LOG should be retained in accordance with legal and regulatory requirements. Access to applications should be limited to authorized users and to normal business hours, with reasonable exceptions.
Access control is defined as the enforcement of specified authorization rules based on positive identification of users and the systems or data they are permitted to access (or, providing access to authorized users while denying access to unauthorized users). The Information Technology Security Manager should periodically (once a week is recommended) review the Access Control Log and present a status report to Information Technology Managers.