The IT Law Wiki


An access control policy is

[a] statement of intent with regard to control over access to, dissemination of, and modification on an information processing system. The policy must be precisely defined and implemented for each system that is used to process information. The policy must accurately reflect the laws, regulations, and general policies from which it is derived.[1]

An access control policy is "[t]he set of rules that define the conditions under which an access may take place."[2]


  1. Draft Comprehensive Information Assurance Dictionary 8 (1995) (full-text).
  2. Compendium of Approved ITU-T Security Definitions, at 2.

See also[]