Sample – File and Directory Permissions Policy
April 13, 2020| Policy Number | |
| Program | Corporate External Access |
| Control Objective | |
| Department Owner | Risk Management / Information Security Officer |
| Approval Authorities | |
| Effective Date | |
| ISO Reference | ISO/IEC 270001 (section 9.1.1 -2, 9.2.2, 9.2.4) CobiT 2000 (page 144) BS 7799 (section 9.2) |
| Regulatory Reference |
Purpose
The purpose of this policy is to define the security measures and specific standards necessary for reviewing Corporate network file and directory security permissions.
Policy Owner
The Risk Management Department’s Senior Risk Officer is responsible for establishing, guiding and advancing Risk Management Committee activities. Risk Management’s Information Security Officer (ISO) is responsible for coordinating and reporting technical security risks, controls and project activity. The Technology Services Department is responsible for policy implementation using ECM or any other means of compliance.
Target audience
This policy applies to all departments and employees of Corporate who manage and support the Network File Servers.
Policy Value
Corporate provides its employees, contractors and temporary workers with access to electronic communications to further corporate’s appropriate and legitimate business purposes, while controlling and reducing the risk of accidental or un-authorized disclosure of information.
Resources must be checked
ECM will be configured to best practices baseline directory and file permissions on Servers and Workstations. ECM will check on a regular basis to ensure that users have security rights to only specified directories and files related to their work functions.
Server checking timeline
ECM will report directory and file access privilege audits s on a quarterly basis to ensure that access rights have not changed unnecessarily.
Access rights must be logged and reviewed
Directory and access rights must be logged by departmental needs and reviewed during directory and file access privilege ECM auditing in order to confirm to what each user should and should not have access rights to.
Access Checking Tools
Directory and file access can be checked either by using ECM to ensure compliance.
Enforcement
The Director of Risk Management in coordination with the Technology Services Department is responsible for policy enforcement. The Technology Services Department is responsible for policy implementation and is the front line support for compliance. Violation of this policy would likely result in consultation, unless obvious disregard for the policy was evident and resulted in or contributed to non-performance according to the Senior Risk Officer or ISO’s written job description and performance expectations.