The GDS Way and its content is intended for internal use by the GDS community.

Tracking Access Control

You should track the list of users who have access to the secrets by logging the permissions, such as accounts and credentials, associated with a security resource in a single, centralised Access Control List (ACL). The list specifies who or what is allowed to access the resource and the operations which are allowed to be performed on the resource.

Some teams use a spreadsheet as their ACL to log the access to systems and secrets as a centralised source of truth for logging joiner, mover and leaver access. Teams should:

• update the ACL to capture new joiner, mover and leaver access
• create default access for the different roles and capture any deviations from the default
• create a task to capture the progress of joiners, leavers and movers to make sure all the access has been granted, or removed and build this into the process

Further guidance

• NCSC - 10 steps to cyber security

This page was last reviewed on 4 January 2021. It needs to be reviewed again on 4 July 2021 by the page owner #gds-way .

This page was set to be reviewed before 4 July 2021 by the page owner #gds-way. This might mean the content is out of date.