Emergency Access Policy

Version: 1.00Issue Date: 1/15/2015

This Emergency Access Policy defines requirements for emergency access to equipment and for defining an emergency.

1.0 Overview

This Emergency Access Policy will help ensure that security is kept in place during emergencies and that adequate preparation will help minimize the impact of emergencies.

2.0 Purpose

This Emergency Access Policy specifies what must be done in advance of an emergency and actions that can be taken during an emergency.

3.0 Scope

This Emergency Access Policy applies to all business owners of IT systems and IT staff that may be involved during an emergency. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Emergency Access Definitions

  • The definition of an emergency or critical incident requiring emergency access must be defined and affected personnel must be made aware of it. The business owner should help define an emergency.
  • Temporary access authorization procedures must be defined, documented and approved by management. These procedures and associated forms must be readily available for emergencies.
  • Responsibilities for temporary access approval must be clearly defined, documented, and approved by management.
  • Definition of critical and priority systems must be available as defined by the business owners and IT management.

5.0 Emergency Access Requirements

  • Staff that are required for emergency situations must be identified.
  • Emergency access rights and the staff that will have them must be identified in advance by the business owners and IT management.
  • Procedures must be established for contacting support staff (contact information must be readily available) and ensuring they are available in the event of a critical situation or emergency.
  • If the system tracking problems in not available, actions taken must be manually documented. The problem management system must be updated with the information when it is available.

6.0 Authorization Changes

  • Changes to authorization must be logged on any systems that the changes are made on. The times that authorization changes are made must be recorded.
  • Actions taken while additional access is granted must be recorded.
  • Where possible temporary or emergency access must be automatically removed. Where this is not possible, a procedure must be in place to ensure that management checks to be sure temporary or emergency access is removed as soon as the problem is resolved.
  • A roles and responsibilites chart should be provided showing roles and responsibilities during an emergency or critical situation and where they deviate from normal.

7.0 Effectiveness

  • Management and the computer security section should monitor temporary access processes for effectiveness and monitor implementations of temporary access for accuracy. Updates to processes should be implemented where effectiveness and security can be improved.
  • Performance during emergency incidents should be reviewed by management and information gained should be used to make the emergency response procedures better.

8.0 Enforcement

Since following the Emergency Access Policy is important for the welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

9.0 Other Policies

10.0 Additional Requirements

  • What constitutes an emergency or critical incident requiring emergency access must be defined.
  • Procedures to provide authority for temporary emergency access must be defined and approved.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________