Access control policy

Published: 08 October 2024
Freedom of information class: How we manage our resources

This policy relates to access to RoS digital information assets.


1. Purpose and scope

1.1 This policy sets out Registers of Scotland (RoS) commitment to protect information by appropriately controlling access to it, throughout its lifecycle. It covers all our information assets wherever they are collected, created, used, transferred or stored. Its principles apply across technical and physical environments, and to any party requiring access.

1.2 This policy is subordinate to the overarching RoS Information security policy.

2. Controlled access to information

2.1 We will protect our information assets, including system resources, by ensuring access to them is controlled and limited to authorised individuals and resources only.

2.2 Referencing recognised standards, we will establish procedures and processes to ensure that requirements for access to systems, applications, and data are clearly defined, documented, and operated in practice.

2.3 These controls will be appropriately monitored to ensure their currency and effectiveness over time.

3. Guiding principles

These procedures and processes will ensure that:

3.1 All access is authorised based on requirements of the role.

3.2 Authorised access is provided on a need to know/need to use basis (including where all roles require access to an asset).

3.3 Privileged access is provided on a ‘least privileged’ basis – permissions are elevated only in line with the requirements of the role.

3.4 Authorised access is granted to a unique user identity.

3.5 Wherever possible, user identities will be derived from a single source of truth.

3.6 Wherever appropriate, unique user identities will be authenticated prior to access.

3.7 Access must be subject to periodic review.

3.8 When no longer authorised or required, access and/or relative permissions must be removed without undue delay.

4. Roles and responsibilities

4.1 All RoS employees and contingent workers are bound by the commitments of this policy, and:

  • Are required to effectively operate the range of procedures and controls which facilitate compliance in practice
  • Must report any non-conformances of or improvement to policy requirements to the Information Security Assurance Group (ISAG)

4.2 Managers and Team Leads must ensure that all relative processes, products or service support compliance of this policy.

4.3 The Information Security Assurance Group has ownership of this policy and is responsible for enforcement of its requirements.

4.4 The Information Security Assurance Group (ISAG) is accountable for Information Governance, which includes requirements for the protection and handling of RoS Information Assets.

4.5 Frameworks (or Agreements) must be in place to ensure that all partners within a supply chain are aware of the policy requirements and understand their responsibilities for compliance.

4.6 This policy should be part of the publication scheme. Internally this must be a mandatory read for all employees and contingent workers.

5. Approval and review

5.1 This policy will be reviewed and approved by the RoS Information Security Assurance Group (ISAG) annually, unless earlier review is appropriate.

AuthorInformation Assurance Advisor
ReviewedService Manager for Information Security Risk and Assurance
ClearedDirector of Policy and Corporate Services and Accountable Officer
ApprovalInformation Security Assurance Group (ISAG) Approval date July 2024
Policy version V 3
Review responsibilityInformation Security Assurance Group (ISAG) Review date July 2025
Publication scheme Yes
Email to contactSRA@ros.gov.uk