Restrict Temporary Access to Secure Systems
Temporary access is not allowed for systems handling highly sensitive information.
Plain language
This control is about ensuring that systems which handle very sensitive information shouldn't have temporary access granted to them. The reason for this is simple: if you allow short-term access to these systems, there's a risk someone could misuse that access and expose critical information. Keeping these systems secure helps protect against data leaks and potential financial or reputational harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information.
Why it matters
Granting temporary access to systems handling caveated or sensitive compartmented information can enable unauthorised disclosure and compromise of classified operations.
Operational notes
Enforce policy that no temporary accounts or time-bound access are issued for caveated/SCI systems; audit account creation and approvals to detect exceptions.
Implementation tips
- The IT manager should ensure proper policies are in place to restrict temporary access to secure systems. This can be done by reviewing current access policies and creating guidelines that explicitly state temporary access is not allowed for sensitive systems.
- System administrators need to configure the access settings on sensitive systems to disallow temporary access. This involves checking current system configurations and updating them so that no user accounts are given temporary permissions.
- HR should regularly communicate with staff about the importance of these access restrictions and ensure everyone understands why temporary access is not permitted. This could be done through periodic training sessions or informational emails.
- Management should conduct regular reviews to identify any potential loopholes where temporary access might be granted. They should gather reports of system access attempts and assess if any policies need strengthening.
- The security team should monitor access logs to ensure there are no attempts to bypass this restriction. Tools that generate alerts for any unusual access requests should be configured to notify the team immediately.
Audit / evidence tips
-
Askthe current access control policy document for sensitive systems
Goodincludes a clear statement forbidding temporary access for systems with sensitive information
-
Goodshows no records of temporary access being granted
-
Askto see a recent training or communication provided to staff about access policies. Check that the material highlights the prohibition of temporary access
Goodincludes examples of emails or presentation materials covering this topic
-
Goodshows regular access by authorised personnel with no temporary distribution
-
Askthe settings configuration for these secure systems. Check that the option for temporary accesses is disabled
Goodis a document or screenshot showing settings that restrict access permissions permanently
Cross-framework mappings
How ISM-0443 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (4) expand_less | ||
| Annex A 5.15 | ISM-0443 prohibits granting temporary access to systems that process, store or communicate caveated or sensitive compartmented information | |
| Annex A 5.18 | ISM-0443 mandates that organisations do not grant temporary access to systems processing, storing or communicating caveated or sensitive ... | |
| Annex A 8.2 | ISM-0443 requires that temporary access is not granted to systems handling caveated or sensitive compartmented information | |
| Annex A 8.3 | ISM-0443 prohibits temporary access to secure systems that handle caveated or sensitive compartmented information | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.