Writing the Records Access Security Plan (Expanded) document
Access Security Plan
Security and Access Control is of the utmost importance to Company Name. We have identified the following needs for security in the context of the Records Management program. Use this template to discuss areas in which security is needed.
These might include concerns about personal security of an organization's personnel, clients, or visitors; security of physical facilities from vandalism or theft; or data security, which often includes transmission and storage issues of both printed and computerized records. To fill in the categories below, state a general category (such as " Security of Front Office Staff" or " Data Security" ) and then describe the need for that type of security.
Security Groups
Security Groups can be classified as roles for user groups or as content groups for access rights. User access rights can be defined as View Only, Content Manager, Power User, and Administrator. These groups can also be organized based on groups of users or content items. Content based Security Groups may also be classified as Confidential, Public, or Departmental.
Need: Describe the need for this type of security. Include any past incidents to make your case. Risks: Insert your ideas of what might happen if security is not improved.
Requests/Recommendations: Insert any ideas you have about how to meet this security need.
Security Accounts
Accounts can be created for the access to content repositories within the security group hierarchy. Accounts can be set up based on business units or for cross departmental tasks or specific projects. Need: Describe the need for this type of security. Include any past incidents to make your case.
Risks: Insert your ideas of what might happen if security is not improved. Requests/Recommendations: Insert any ideas you have about how to meet this security need.
Document Level Security
Document level security is often stored at a metadata level of the record and should be limited to a single security group. Need: Describe the need for this type of security. Include any past incidents to make your case. Risks: Insert your ideas of what might happen if security is not improved.
Requests/Recommendations: Insert any ideas you have about how to meet this security need. The Records Management program will require varied levels of access controls to allow different users and groups access to different portions of the content or to allow different privileges of access, such as contributions, edits, annotations, and deletions. Types of access include: View Only, Contributor, Super User, Administrator, and so on.
Document Level Access Category
Permissions for the level of access to a document is often set at the Security Group under the Public, Departmental or Confidential access rights. For example, if the user had view only access to the public group, and View Only access to HR document the user would be able to read HR content that is open to the public such as I9 forms and no access to employee files. Content Type: List applications or records categories. Groups: List groups or communities that have access to the content.
Description: Describe the access level and security role, and activities that can be performed. Security Level: Define the level of access.
User Access Category
Users are granted access to different kinds of documents or account level access. Content Type: List applications or records categories. Groups: List groups or communities that have access to the content. Description: Describe the access level and security role, and activities that can be performed.
Security Level: Define the level of access.
Service Level Access Category
Service level access is used for system level access and impersonation accounts for system integrations. Service accounts often have specific rights and access to content stores across the Enterprise. Content Type: List applications or records categories.
Groups: List groups or communities that have access to the content. Description: Describe the access level and security role, and activities that can be performed. Security Level: Define the level of access. The Records Management program will require the following security measures to be implemented and maintained.
Security Access Account Management
The Security Plan outline above will work well with LDAP and Active Directory to grant access and maintain permissions. Responsible Party: Who is responsible? Description of security access model, areas impacted, vulnerability assessment.
Specify how compliance is met and maintained in an action plan and how security measures will be adopted.
Security Access Scalability
The Security Plan as outline above will make it easy to manage large user communities and expand throughout the enterprise. Responsible Party: Who is responsible? Description of security access model, areas impacted, vulnerability assessment. Specify how compliance is met and maintained in an action plan and how security measures will be adopted.
Security Access Maintenance
User access and management is the responsibility of Department or IT Administrator and deployed using the following methods. Responsible Party: Who is responsible? Description of security access model, areas impacted, vulnerability assessment.
Specify how compliance is met and maintained in an action plan and how security measures will be adopted.