Implement File-Based Access Controls for Databases
Use file permissions to safeguard database files from unauthorised access.
Plain language
This control is about setting special rules for who can see or change your database files. Imagine your database as a filing cabinet full of important documents - if anyone can open it, someone could take sensitive information without you knowing. By using file-based access controls, you limit who has the keys to that cabinet, reducing the chance of a security breach.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
File-based access controls are applied to database files.
Why it matters
Without file-based controls on database files, attackers can read or modify data, logs or backups, causing leaks and integrity loss.
Operational notes
Audit OS ACLs on database data, log and backup files so only DB service accounts and admins can access them; review after role changes.
Implementation tips
- System owners should determine which staff need access to database files. Start by listing all people currently able to access the files and remove those who don't need it. Limit the number to only those who absolutely require it for their job.
- IT teams should set specific file permissions on the database files. They can do this by using operating system tools to restrict who can read, write, or delete files. Ensure these permissions are reviewed regularly to stay up to date with staff changes.
- Managers should create a process for requesting and granting access to database files. This should include a form that people fill out, which is then approved by a senior staff member before access is given.
- The IT department should perform regular checks to ensure file-based access controls are correctly in place. They can use simple scripts or software to report who accessed files and when.
- HR should ensure that any changes in staff status, like leaving the company or changing roles, are promptly communicated to IT. This helps in adjusting file access permissions immediately, avoiding lapses in security.
Audit / evidence tips
-
Askdocumentation on current file access permissions
-
Askthe latest audit or report on file access reviews. Review how often these checks are done and any findings documented
Goodaudit involves regular review cycles and actions taken on findings
-
Asksecurity training records related to database access
Cross-framework mappings
How ISM-1256 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1256 requires applying file permissions to database files to protect them from unauthorised access | |
| Annex A 8.3 | ISM-1256 requires file-based access controls (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.