FISMA ISO27001 Access Control Policy and Procedures Audit Checklist

An access control policy should be established, documented, and reviewed based on business and security requirements for access. The policy and procedures should covers:

- Security requirements of individual business applications
- Identification of all information related to the business applications and the risks the information is facing
- Policies for information dissemination and authorization, e.g. the need to know principle and security levels and classification of information
- Consistency between the access control and information classification policies of different systems and networks
- Relevant legislation and any contractual obligations regarding protection of access to data or services
- Standard user access profiles for common job roles in the organization
- Management of access rights in a distributed and networked environment which recognizes all types of connections available
- Segregation of access control roles, e.g. access request, access authorization, access administration
- Requirements for formal authorization of access requests
- Requirements for periodic review of access controls
- Removal of access rights

Objectives
- The organization develops and documents access control policy and procedures;

- The organization disseminates access control policy and procedures to appropriate elements within the organization;

- Responsible parties within the organization periodically review access control policy and procedures; and

- The organization updates access control policy and procedures when organizational review indicates updates are required.

Procedures
- Examine the access control policy and procedures; reviewing for documented policy and procedures.

- Examine the access control policy and procedures and any other relevant documents (e.g., distribution list); reviewing for identification of the organization elements to which the policy and procedures are disseminated or otherwise made available.

- Examine the access control policy and procedures; reviewing for indication that the responsible parties within the organization periodically review the access control policy and procedures.

- Examine the access control policy and procedures; reviewing for indication that the access control policy and procedures are updated when organizational review indicates that such update is needed.

- Interview an agreed-upon representative sample of organizational personnel with access control policy and procedure responsibilities; conducting focused discussions to confirm that the access control policy and procedures are periodically reviewed, and they are updated when that review indicates a need.

Objectives
- The access control policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance;

- The access control policy is consistent with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and

- The access control procedures address all areas identified in the access control policy and address achieving policy-compliant implementations of all associated access controls

Procedures
- Examine the access control policy and any other relevant documents; reviewing for purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.

- Examine the access control policy and any other relevant documents; reviewing for indication of consistency with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.

- Examine the access control policy and any other relevant documents; studying for consistency with the organization's mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance.

- Examine the access control policy and procedures or other relevant documents; reviewing for indication that the access control procedures address all areas identified in the access control policy and address achieving policy-compliant implementations of associated access control controls.

- Examine the access control policy and procedures or any other relevant documents; studying to verify that the access control procedures address all areas identified in the access control policy and address achieving policy-compliant implementations of associated access control controls.

- Interview an agreed-upon representative sample of organizational personnel with access control responsibilities; conducting focused discussions to verify that the access control procedures are consistent with the access control policy.