Wherever possible, organizations should create a standardized platform for all critical systems across the enterprise that map to your local IT Standards. This will minimize anomalies during system, application implementation, assist with your data classification initiatives and define a more accurate inventory.
The risk management process shall be integrated with the change management process within the organization, and risk assessments shall be conducted whenever there is a significant change in the environment, or a change that could have a significant impact. Results of the risk assessments shall be included in the change management process, so they may guide the decisions within the change management process (e.g. approvals for changes).
Access control rules shall account for and reflect the organization's policies for information dissemination and authorization, and these rules shall be supported by formal procedures and clearly defined responsibilities. Access control rules and rights for each user or group of users shall be clearly stated in an access control policy. Access controls are both logical and physical and these shall be considered together. Users and service providers shall be given a clear statement of the business requirements to be met by access controls. Use role based accessed integrated with LDAP and account for provisioning / deprovisioning for systems outside of managed domains for best results.
NexTTyme LLC PO Box 620328 Charlotte, NC 28262 Email: Inbox@nexttyme.com