User rights management
Who should have access to the VMS resources?
Organizations must:
- Limit user access to a small number of clearly identified individuals on a need-to-know basis.
- Maintain audit logs of user access and activities.
Access rights must be limited to a small number of clearly identified individuals on a strictly need-to-know basis. Make sure that authorized users can access only the data to which their access rights refer. Access control policies should be defined following the principle of “least privilege”: access right to users should be granted to only those resources which are strictly necessary to carry out their tasks.
When sharing a computer, Milestone recommends that VMS operators do not share the log in account to Windows. Each operator should have an individual account.
In addition, VMS operators should not select to remember their password when signing in to the VMS system.
Only the security officer, the system administrator, or other staff members specifically appointed by the security officer for this purpose should be able to grant, alter or annul access rights of any persons. Any provision, alteration or annulment of access rights must be made in accordance with criteria established in the video surveillance policy (see Appendix: Video surveillance policy).
Those having access rights must at all times be clearly identifiable individuals. For example, no generic or common user names and passwords should be allocated to an outsourced security company which employs several people to work for the organization.
The video surveillance policy must clearly specify and document the technical architecture of the video surveillance system, who has access to the surveillance video, and for what purpose and what those access rights consist of. In particular, you must specify who has the right to:
|
|
In addition, you must ensure that only those needing access to the following VMS features get these permissions:
|
|