Looking to build or refine your access control practices? Here’s a simplified sample policy outline to help you protect your organization's information assets. Purpose: Safeguard confidentiality, integrity & availability of IT resources. Scope: Applies to all users—employees, contractors, third parties. Key Highlights: Least Privilege Principle Role-based access provisioning Timely user onboarding/offboarding Privileged Access Management (PAM) Strong password policies & secure credential storage Restriction of high-risk tools & source code access Mandatory user training & regular awareness Regular policy reviews + compliance monitoring Roles defined for IT Security, Managers, Asset Owners & Employees. This is a sample policy—customize based on your organization’s risk profile and compliance needs.

1. Sample
Access
Control Policy
www.infosectrain.com | www.azpirantz.com

2. 1. Purpose
This policy aims to safeguard the confidentiality, integrity, and availability of the
company's information assets by establishing a framework for controlling access to
IT resources.
2. Scope
It applies to all individuals, including employees, contractors, and third-party users,
who are granted access to the company's IT systems and data. This policy is
intended to limit access to sensitive and critical information and information
processing facilities.
3. Policy Overview
Access to the company's IT resources will be governed by the principle of least
privilege. Users will be granted the minimum level of access required to perform
their job functions. Access to information and application system functions will be
restricted in accordance with this access control policy.
4. Roles and Responsibilities
IT Security Team: Responsible for the design, implementation, and
maintenance of access control systems, as well as ensuring compliance with
this policy. The IT Security Team will investigate violations and report them
to senior management.
Managers: Accountable for approving and regularly reviewing access
requests for their team members to ensure access levels remain appropriate.
Employees and Contractors: Required to adhere to this policy, use IT
resources responsibly, and report any security incidents or potential
breaches. All employees and contractors are responsible and authorized for
adherence to this policy.
www.infosectrain.com | www.azpirantz.com

3. Head of IT Department: Responsible and authorized for enforcement of this
policy.
Asset Owners: Responsible for determining appropriate access rights and
restrictions for specific user roles towards their assets. They are also
responsible for periodically reviewing access rights and restrictions granted
to various users and user groups for their assets.
Policy Statement
User Access Management
1. User Registration and De-registration
Onboarding and Offboarding: Establish a formal process to register new
users and de-register those no longer needing access.
Access Allocation: Grant access based on business requirements using
role-based access control principles.
Timely Revocation: Promptly remove access when users resign, contracts
end, or roles change.
2. User Access Provisioning
Structured Assignment: Implement a clear process for assigning, updating,
and revoking access rights.
Uniform Application: Apply access control policies consistently across
employees, contractors, vendors, and temporary staff.
Immediate Updates: Ensure access rights are adjusted immediately upon
any change in user status to prevent unauthorized entry.
www.infosectrain.com | www.azpirantz.com

4. 3. Privileged Access Management (PAM)
Strict Control: Monitor and control the allocation of privileged accounts
(administrative, superuser, root) closely.
Need-to-Know Basis: Grant elevated access strictly based on necessity and
review these permissions periodically.
Separate Accounts & MFA: Require separate accounts for administrative
tasks and enforce multi-factor authentication for all privileged access.
4. Authentication Information Management
Credential Handling: Govern the creation, distribution, and use of sensitive
authentication details such as passwords, keys, and tokens.
Best Practices: Enforce strong password policies with complexity
requirements, regular expiration, and prevention of reuse.
Secure Storage: Use secure methods like hashing and encryption to protect
authentication information.
System and Application Control
1. Restricting Utility Programs
Limit access to tools that can bypass controls (e.g., debugging tools, privilege
escalation scripts) to authorized personnel, with all usage logged and
monitored.
Source Code Protection: Store program source code in secure, restricted
environments, accessible only to authorized developers or security
personnel.
www.infosectrain.com | www.azpirantz.com

5. *It is important to note that this is a sample policy and the actual policy
document needs to be drafted according to the scope and organizational
requirements.
www.infosectrain.com | www.azpirantz.com
2. Policy Review and Updates
Annual Reviews: Conduct a comprehensive review of this policy at least
once a year to ensure it remains aligned with evolving security threats and
regulatory requirements.
Responsive Updates: Initiate immediate reviews and updates in response to
significant changes in the IT environment.
3. User Training and Awareness
Mandatory Training: Provide all employees, contractors, and third-party
users with required training on this policy and their responsibilities.
Ongoing Awareness: Hold regular security awareness sessions to ensure
continuous compliance with access control measures.
Compliance and Violations
Failure to comply with this policy may result in disciplinary action, including
termination of employment or contract. Violations will be investigated by the
IT Security Team and reported to senior management.