Access Control Standard
An access control standard specifies the technical requirements that authentication mechanisms, authorisation models, and session management must satisfy. This standard establishes minimum requirements for all systems that store, process, or transmit organisational data. Individual systems may impose stricter controls based on data sensitivity or regulatory obligations, but no system may operate below these baselines.
The standard applies to all systems under organisational control, including cloud services, on-premises infrastructure, and third-party platforms where the organisation maintains administrative responsibility. Systems managed entirely by third parties fall under contractual security requirements rather than this standard directly, though vendor assessments must verify equivalent controls exist.
- Authentication
- The process of verifying that an entity is who or what it claims to be, typically through credentials, tokens, or biometric factors.
- Authorisation
- The process of determining what actions an authenticated entity is permitted to perform on specific resources.
- Principal
- Any entity that can be authenticated and granted permissions: human users, service accounts, automated processes, or federated identities.
- Privileged access
- Access rights that permit modification of security controls, system configuration, or other principals’ permissions.
Authentication requirements
Authentication mechanisms must verify principal identity before granting any system access. The strength of authentication required scales with the sensitivity of accessible data and the privilege level of the account.
Password requirements
Passwords remain acceptable as a single authentication factor only for systems classified as low sensitivity with no access to personal data. All other systems require passwords combined with additional factors or passwordless authentication methods.
| Account type | Minimum length | Complexity | Maximum age | History |
|---|---|---|---|---|
| Standard user | 12 characters | No composition rules | No expiry | 5 previous |
| Privileged user | 16 characters | No composition rules | No expiry | 10 previous |
| Service account | 24 characters | Generated random | 365 days | Not reused |
| Emergency/break-glass | 24 characters | Generated random | Single use | Not applicable |
| Local administrator | 20 characters | Generated random | 180 days | Not reused |
Password complexity rules requiring specific character classes (uppercase, lowercase, numbers, symbols) reduce effective entropy by constraining user choices and encouraging predictable substitution patterns. Length provides greater security than composition requirements. A 12-character password without complexity rules drawn from a 95-character set provides approximately 79 bits of entropy, compared to 52 bits from an 8-character password with complexity requirements where users predictably select “Password1!”.
Systems must implement the following password controls:
| Control | Requirement |
|---|---|
| Lockout threshold | 10 failed attempts within 15 minutes |
| Lockout duration | 30 minutes or manual unlock |
| Lockout scope | Per-account, not per-source-IP |
| Breach detection | Check against known compromised password databases at creation and change |
| Storage | bcrypt with cost factor 12, Argon2id, or scrypt; never MD5, SHA-1, or unsalted hashes |
| Transmission | TLS 1.2 or higher only; never transmitted in URL parameters or logs |
Multi-factor authentication requirements
Multi-factor authentication (MFA) combines two or more independent verification methods from different categories: something the principal knows (password, PIN), something the principal possesses (hardware token, registered device), or something the principal is (biometric). Using two methods from the same category does not constitute MFA.
| System classification | MFA requirement |
|---|---|
| High sensitivity (personal data, financial, privileged access) | Required for all access |
| Medium sensitivity (internal business data) | Required for remote access; recommended for all access |
| Low sensitivity (public information only) | Not required |
| Administrative interfaces | Required regardless of classification |
| Cloud platform consoles | Required regardless of classification |
| Email and collaboration platforms | Required for all users |
| VPN and remote access | Required for all users |
MFA methods vary in resistance to interception and phishing attacks. The following table ranks methods by security strength:
| Method | Phishing resistant | Theft resistant | Acceptable for |
|---|---|---|---|
| FIDO2/WebAuthn hardware keys | Yes | Yes | All systems |
| Platform authenticators (Windows Hello, Touch ID) | Yes | Yes | All systems |
| FIDO2 passkeys (synced) | Yes | Partial | All systems |
| Authenticator app (TOTP) | No | Yes | Medium sensitivity |
| Authenticator app (push notification) | No | Partial | Medium sensitivity with number matching |
| SMS one-time password | No | No | Low sensitivity only; not for privileged accounts |
| Email one-time password | No | No | Low sensitivity only; not for privileged accounts |
Privileged accounts require phishing-resistant MFA methods. SMS and email-based one-time passwords are unacceptable for any account with administrative capabilities or access to high-sensitivity data, as these channels are vulnerable to SIM swapping, call forwarding attacks, and email compromise.
Push notification authentication must implement number matching, where the authenticator displays a number that the user must enter at the authentication prompt. This control prevents MFA fatigue attacks where adversaries repeatedly trigger push notifications until the user approves.
Passwordless authentication
Systems should support passwordless authentication through FIDO2/WebAuthn where technically feasible. Passwordless authentication eliminates the password as an attack vector entirely, relying on cryptographic proof of possession of a registered authenticator. The authenticator may additionally require biometric or PIN verification for user presence.
Passwordless authentication satisfies MFA requirements when the authenticator itself requires multi-factor verification (for example, a hardware key with PIN, or a platform authenticator with biometric).
Authorisation model
Authorisation determines what actions authenticated principals may perform. The authorisation model must implement least privilege, granting only the minimum permissions necessary for each principal’s legitimate functions.
Role-based access control
Role-based access control (RBAC) assigns permissions to roles, then assigns principals to roles. A role represents a job function or responsibility within the organisation. Principals inherit all permissions of their assigned roles, and nothing more.
+------------------------------------------------------------------+| RBAC STRUCTURE |+------------------------------------------------------------------+| || +-------------+ +-------------+ +-------------+ || | Principal | | Principal | | Principal | || | (User A) | | (User B) | | (Service X) | || +------+------+ +------+------+ +------+------+ || | | | || v v v || +------+------+ +-----+-------+ +-----+-------+ || | Role: | | Role: | | Role: | || | Finance | | Finance | | Backup | || | Analyst | | Manager | | Service | || +------+------+ +------+------+ +------+------+ || | | | || v v v || +------+------+ +-----+-------+ +-----+-------+ || | Permissions:| | Permissions:| | Permissions:| || | - View | | - View | | - Read all | || | reports | | reports | | files | || | - Run | | - Run | | - Write to | || | queries | | queries | | backup | || | | | - Approve | | storage | || | | | payments | | | || +-------------+ +-------------+ +-------------+ || |+------------------------------------------------------------------+Figure 1: RBAC model showing principals assigned to roles, which carry specific permissions
Role design must follow these requirements:
| Requirement | Specification |
|---|---|
| Role granularity | Roles must be granular enough that users do not require permissions they do not use; a role granting unused permissions violates least privilege |
| Role documentation | Each role must have documented purpose, intended assignees, and permission rationale |
| Role ownership | Each role must have a designated owner responsible for membership and periodic review |
| Separation of duties | Roles must enforce separation of duties for sensitive operations; no single role may both initiate and approve the same transaction type |
| Inheritance limits | Role hierarchies must not exceed 3 levels; deeper nesting obscures effective permissions |
| Maximum roles per user | Users should hold no more than 5 concurrent roles; additional roles require documented justification |
Attribute-based access control
Attribute-based access control (ABAC) evaluates access requests against policies that consider attributes of the principal, resource, action, and environment. ABAC provides finer-grained control than RBAC alone and handles dynamic conditions such as time, location, or device posture.
Organisations may implement ABAC as a layer above RBAC, where role membership is one attribute among many. A policy might grant access when the principal has the “Finance” role AND the request originates from a managed device AND the current time falls within business hours AND the resource’s data classification does not exceed the principal’s clearance level.
| Attribute category | Example attributes |
|---|---|
| Principal | Role, department, clearance level, employment status, training completion |
| Resource | Data classification, owner, creation date, sensitivity tags |
| Action | Read, write, delete, export, share |
| Environment | Time, location, device posture, network zone, authentication method strength |
ABAC policies must be documented, version-controlled, and tested before deployment. Policy changes require review and approval equivalent to code changes.
Privileged access requirements
Privileged accounts require additional controls beyond standard authentication and authorisation. Compromise of a privileged account threatens the entire environment, not merely the data that account directly accesses.
Privileged account types
| Account type | Definition | Examples |
|---|---|---|
| System administrator | Accounts with ability to modify system configuration, security controls, or other accounts | Domain Admin, root, Azure Global Administrator |
| Security administrator | Accounts with ability to modify security policies, access logs, or detection systems | Security Operations, SIEM Administrator |
| Application administrator | Accounts with ability to modify application configuration or access all application data | Database Administrator, SaaS tenant admin |
| Network administrator | Accounts with ability to modify network configuration or intercept traffic | Firewall admin, network device credentials |
| Backup administrator | Accounts with ability to access backup data or modify backup configuration | Backup operator, recovery service accounts |
Privileged access controls
| Control | Requirement |
|---|---|
| Dedicated accounts | Administrators must use separate accounts for privileged activities; daily work uses standard accounts |
| Privileged access workstations | High-sensitivity environments require dedicated devices for privileged access, isolated from email, web browsing, and general productivity applications |
| Just-in-time access | Where technically feasible, privileged access should be provisioned on-demand for limited duration rather than standing |
| Session recording | Administrative sessions on critical systems must be recorded for forensic and audit purposes |
| Command logging | Commands executed with elevated privileges must be logged with timestamp, principal identity, and full command text |
| Break-glass procedures | Emergency access mechanisms must exist for scenarios where normal privileged access is unavailable; these procedures must be documented, tested, and audited when invoked |
Privilege escalation
Privilege escalation paths must be explicitly defined and controlled. No principal should obtain elevated permissions except through documented, auditable mechanisms.
| Escalation type | Acceptable mechanism |
|---|---|
| Temporary elevation (same session) | sudo, runas with logged invocation |
| On-demand privileged access | Just-in-time provisioning through approved PAM system with automatic expiry |
| Emergency access | Break-glass procedure with mandatory incident documentation |
| Permanent privilege grant | Formal access request with management approval and documented justification |
Implicit privilege escalation through misconfigured permissions, overly broad service accounts, or unmonitored automation scripts constitutes a control failure requiring immediate remediation.
Service account requirements
Service accounts authenticate automated processes, applications, and system integrations rather than human users. Service accounts require distinct controls because they cannot respond to MFA prompts, often require persistent credentials, and their activity patterns differ fundamentally from human users.
| Requirement | Specification |
|---|---|
| Purpose documentation | Each service account must have documented purpose, owning system, responsible administrator, and data accessed |
| Unique accounts | Each application or service must use its own dedicated service account; shared service accounts are prohibited |
| Credential type | Use managed identities, workload identity federation, or certificate authentication where supported; API keys or passwords only where unavoidable |
| Credential storage | Service credentials must be stored in secrets management systems, not in code repositories, configuration files, or environment variables accessible to unprivileged processes |
| Credential rotation | Service account credentials must rotate on schedule: certificates every 365 days, passwords every 365 days, API keys every 180 days |
| Least privilege | Service accounts must have minimum permissions for their function; “administrator” or equivalent permissions on service accounts require documented exception |
| Monitoring | Service account activity must be logged and monitored for anomalous behaviour: unusual source locations, access times, or action patterns |
| Inventory | Maintain a complete inventory of service accounts with owner, purpose, systems accessed, and last review date |
Service accounts must not have interactive logon capability except where specifically required for the service function, in which case interactive logon must be restricted to designated service hosts.
Access review requirements
Access reviews verify that granted permissions remain appropriate. Without periodic review, permission accumulation occurs as principals change roles, projects conclude, and temporary access persists beyond its intended duration.
| Review type | Scope | Frequency | Reviewer |
|---|---|---|---|
| Privileged access | All accounts with administrative permissions | Quarterly | Security team with system owner sign-off |
| High-sensitivity systems | All accounts with access to systems classified high sensitivity | Quarterly | System owner |
| Standard access | All accounts with access to medium-sensitivity systems | Semi-annually | System owner or delegate |
| Service accounts | All service accounts and their permissions | Semi-annually | Service owner and security team |
| External access | All accounts belonging to external parties (contractors, partners, vendors) | Quarterly | Relationship owner and security team |
| Dormant accounts | Accounts with no authentication in 90 days | Monthly | Automated identification; manual review before action |
Review outcomes must be documented with the following information: reviewer identity, review date, accounts reviewed, decisions made (retain, modify, revoke), and justification for retained access. Reviewers must attest that they have verified each access grant remains necessary.
Identified violations must be remediated within defined timeframes:
| Finding severity | Remediation timeframe |
|---|---|
| Privileged access without valid justification | 24 hours |
| Access to high-sensitivity data without valid justification | 48 hours |
| Dormant privileged account | 24 hours (disable) |
| Dormant standard account | 7 days (disable) |
| Excessive permissions (more than role requires) | 14 days |
| Missing access review completion | 7 days (escalate to management) |
Session management requirements
Sessions maintain authentication state after initial verification, eliminating the need to re-authenticate for each request. Session controls balance usability against the risk of session hijacking or abandoned sessions providing unauthorised access.
| Control | Requirement |
|---|---|
| Session timeout (idle) | 15 minutes for high-sensitivity systems; 30 minutes for medium-sensitivity systems; 8 hours maximum for any system |
| Session timeout (absolute) | 12 hours maximum regardless of activity; 8 hours for privileged sessions |
| Concurrent sessions | Limit concurrent sessions per account based on legitimate need; alert on unusual patterns |
| Session binding | Sessions should be bound to client characteristics (IP address, device fingerprint) where practical; changes should prompt re-authentication |
| Session termination | Explicit logout must invalidate session server-side, not merely clear client-side tokens |
| Token security | Session tokens must be generated using cryptographically secure random number generators; minimum 128 bits of entropy |
| Token transmission | Session tokens transmitted only over encrypted channels; Secure flag required for cookies; HttpOnly and SameSite attributes required |
| Token storage | Session tokens should not be stored in localStorage; sessionStorage or HttpOnly cookies preferred |
Re-authentication must be required for sensitive operations regardless of session validity:
| Operation | Re-authentication requirement |
|---|---|
| Password change | Current password required |
| MFA configuration change | Current MFA verification required |
| Email address change | Current password and MFA required |
| Payment or financial transaction above threshold | MFA required |
| Export of bulk data | MFA required |
| Access to particularly sensitive records | Step-up authentication appropriate to data classification |
Federated authentication requirements
Federation allows principals authenticated by one identity provider to access resources in another organisation’s systems without maintaining separate credentials. Federation reduces credential proliferation but introduces dependencies on external identity providers and requires trust relationships to be carefully scoped.
| Requirement | Specification |
|---|---|
| Protocol | SAML 2.0 or OpenID Connect; WS-Federation acceptable for legacy systems; proprietary federation protocols prohibited |
| Identity provider vetting | External identity providers must demonstrate security controls equivalent to organisational standards before federation trust establishment |
| Attribute mapping | Map only necessary attributes from external assertions; do not blindly accept all provided attributes |
| Group/role mapping | External group memberships should map to local roles rather than directly to permissions; review mappings semi-annually |
| Session lifetime | Federated sessions should have shorter maximum lifetime than internal sessions: 8 hours maximum |
| Just-in-time provisioning | Provision federated user accounts at first access; disable accounts not accessed within 90 days |
| Federation agreement | Document federation relationships including: identity provider, permitted applications, attribute mappings, security requirements, termination provisions |
Implementation by system type
The following table provides lookup reference for how requirements apply to common system categories. Specific systems may require stricter controls based on risk assessment.
| System type | MFA required | Session timeout | Privileged access controls | Review frequency |
|---|---|---|---|---|
| Identity provider (IdP) | Yes, phishing-resistant | 15 min idle / 8 hr absolute | Full PAM controls | Quarterly |
| Cloud platform console (AWS, Azure, GCP) | Yes, phishing-resistant | 15 min idle / 8 hr absolute | Full PAM controls | Quarterly |
| Email and collaboration | Yes | 30 min idle / 12 hr absolute | Dedicated admin accounts | Semi-annually |
| Finance and ERP | Yes | 15 min idle / 8 hr absolute | Dedicated admin accounts | Quarterly |
| HR and payroll | Yes | 15 min idle / 8 hr absolute | Dedicated admin accounts | Quarterly |
| Case management (beneficiary data) | Yes | 15 min idle / 8 hr absolute | Dedicated admin accounts | Quarterly |
| CRM and fundraising | Yes | 30 min idle / 12 hr absolute | Dedicated admin accounts | Semi-annually |
| Internal wiki/documentation | Conditional | 8 hr idle / 24 hr absolute | Role-based admin | Annually |
| Public website CMS | Yes for admin | 30 min idle / 12 hr absolute | Dedicated admin accounts | Semi-annually |
Exceptions
Exceptions to this standard require documented approval from the information security function and the system owner’s management chain. Exception requests must include:
- Specific requirement(s) to be excepted
- Business or technical justification
- Compensating controls implemented
- Risk assessment with residual risk acceptance
- Review date (maximum 12 months)
- Accountable individual
Exceptions do not exempt systems from review and audit. Excepted controls must be re-evaluated at each review date, and exceptions renewed only if the original justification remains valid and no compliant alternative has become available.