Access control

You limit access to personal data to authorised staff only and regularly review users’ access rights.

You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.
You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third-party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.
You restrict and control the allocation and use of privileged access rights.
You keep a log of user access to systems holding personal data.
You regularly review users’ access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.

Are staff aware of the policies and procedures?
Are third-party access rights assigned appropriately given what is required in a contract?
Are access rights correct and up to date?
Would a sample of new starters, movers and leavers show adherence to the policies and procedures?