The Information Technology Security Manager should determine the company’s current state of access control, to develop a baseline for the IT Access Control Plan Template. After it is developed, ITSD106-1 IT ACCESS CONTROL PLAN should be submitted to Information Technology Managers for review and possible revision. The IT Access Control Plan Template should contain the following, at a minimum:
Business requirements for access regulation;
Rules for managing user access;
User responsibility guidelines;
Access control and operating systems;
Access control and applications; and
Monitoring user access.
The Information Technology Security Manager should monitor the IT Access Control Plan (are systems, databases, etc., being used appropriately by the right people) by reviewing access logs, security logs, etc., on a periodic basis (once a week is recommended). Findings of such reviews should be reported to the Security Review Committee for its review and possible action.