IT staff systems/data access policy

IT pros typically have access to company servers, network devices, and data so they can perform their jobs. However, that access entails risk, including exposure of confidential information and interruption in essential business services. This policy offers guidelines for governing access to critical systems and confidential data.

From the policy:

Requirements for access

• All IT staff should be subjected to personnel screening as a requirement for hire.
• IT staff should be provided dedicated accounts tied to their identity rather than allowed to use generic system accounts (administrator/root, for instance).
• No staff members, whether inside or outside of IT, should ever share their account information or passwords.
• Administrative rights to systems/access to data should be granted to IT staff on a “least privilege” basis so they can perform the tasks needed to do their jobs but nothing further.
• All administrative rights to systems/access to data must be documented and kept exclusively by at least two senior IT staff, such as the IT director and the VP of information technology.
• Any elevated privileges granted to IT staff must be documented and removed as soon as the access is no longer required.
• IT staff must access systems and data only as needed for verifiable work purposes. It is a violation of this policy to engage in any exceptions to this principle, such as browsing confidential financial data, reading employee emails, reviewing termination documents, or any other misuse of access not involving job responsibilities.
• A “separation of duty” concept must apply to IT staff so that no individual is solely responsible for critical/secure functions nor has sole access to any system or data.