This section contains the following sub-sections:
9.1 Business requirement for access control - business requirements for access control should be clearly documented in an access policy statement, including for example job-related access profiles (role based access control).
9.2 User access management - the allocation of access rights to users should be strictly controlled through user registration and administration procedures, including special restrictions over the allocation of privileges and passwords, and regular access rights reviews.
9.3 User responsibilities - users should be made aware of their responsibilities towards choosing strong passwords and keeping them confidential. Systems should be locked when left unattended (e.g. using password protected screensavers or key locks).
9.4 Network access control - access to network services should be controlled, both within the organization and between organizations. Enforced paths and network segregation may be appropriate (e.g. using fixed/predefined network routes, firewalls and proxy servers). Remote users of the network and network nodes should be suitably authenticated. Remote diagnostic ports should be securely controlled. Security attributes of all network services should be clearly described.
9.5 Operating system access control - operating system security facilities and utilities should be used appropriately (numerous controls are noted in this section).
9.6 Application access management - application systems should incorporate security controls to restrict unauthorized access. Sensitive systems may require dedicated/isolated platforms and special handling.
9.7 Monitoring system access and use - systems should be monitored for access policy violations and other security events such as use of privileges and alarms/exception conditions. Logs and alarms should be reviewed at a frequency relating to the level of risk. System clocks should be synchronized.
9.8 Mobile computing and teleworking - there should be formal policies covering the secure use of portable PCs, PDAs, cellphones etc., and secure teleworking ("working from home" and other forms of mobile working).