CF6.1 Access Control
CF6.2 User Authorisation
CF6.3 Access Control Mechanisms
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF6.1
FUNDAMENTAL
CF6.1 Access Control
(continued)CF6.1.5
Access privileges for both business users and computer staff (eg computer operators and system administrators) should be approved by an appropriate business representative.
CF6.1.6
Before access privileges come into effect:
a) authorisations should be checked to confi rm access privileges are appropriate
b) details of users should be recorded, including their true identity, associated identifi er (eg UserID) and access privileges to be granted
c) users should be advised of – and be required to confi rm understanding of – their access privileges and associated conditions of use.
CF6.1.7
Access privileges should not be assigned collectively (eg using identifi ers such as UserIDs or authenticators such as passwords shared in a group) unless special circumstances apply. Whenever they need to be assigned collectively, this should be documented, approved by an appropriate business representative and subject to additional controls (eg restricted access privileges and contractual conditions).
CF6.1.8
Additional controls should be applied to special access privileges, including high-level privileges (eg ‘root’ in UNIX or ‘Administrator’ in Windows systems, powerful utilities and privileges that can be used to authorise payments or perform fi nancial transactions), which include:
a) specifying the purpose of special access privileges
b) restricting the use of special access privileges to narrowly defi ned circumstances c) requiring individual approval for the use of special access privileges
d) requiring users with special access privileges to sign-on using identifi cation codes or tokens that differ from those used in normal circumstances
e) logging and reviewing the use of special access privileges.
CF6.1.9
A process for terminating the access privileges of users should be established to ensure that:
a) authentication details and access rights are revoked promptly on all systems to which the user had access b) access profi les / accounts are deleted
c) components dedicated to providing access, such as tokens or modems, are disabled or removed.
CF6.1.10
Access control arrangements should be: a) reviewed on a regular basis
b) upgraded in response to new threats, capabilities, business requirements or experience of information security incidents.
Related areas / topics
CF8.2 Identity and Access Management
ISF resources
Identity and Access Management (IAM): Workshop Report
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF6.2 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF6.2 User Authorisation
Principle
All individuals with access to business applications, systems, networks and computing devicesshould be authorised before they are granted access privileges.
Objective
To restrict access to business applications, systems, networks and computing devices to authorisedusers.
CF6.2.1
The processes for authorising users should:
a) be defi ned in writing, approved by the relevant owner and applied to all users
b) associate access privileges with defi ned users (eg using unique identifi ers such as UserIDs) c) assign users with default access privileges of ‘none’ (ie rather than ‘read’)
d) ensure redundant identifi ers (eg UserIDs) are not re-issued for use.
CF6.2.2
A fi le or database containing details of all authorised users for each system should be established, which should be maintained by designated individuals, such as particular system administrators, and protected against unauthorised change or disclosure.
CF6.2.3
Details of authorised users should be reviewed: a) to ensure that access privileges remain appropriate
b) to check that redundant authorisations have been deleted (eg for employees who have changed roles or left the organisation)
c) on a regular basis (eg at least every six months)
d) on a more regular basis for users with special access privileges (eg every three months).
Related areas / topics
CF8.2 Identity and Access Management
ISF resources
Identity and Access Management (IAM): Workshop Report
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF6.3
FUNDAMENTAL
CF6.3
Access Control Mechanisms
Principle
Access to business applications, systems, networks and computing devices should be restricted toauthorised individuals by the use of access control mechanisms.
Objective
To limit access to only authorised individuals.CF6.3.1
Access to business applications, systems, networks and computing devices should be restricted by using access control mechanisms, such as passwords, tokens or biometrics.
Access control mechanisms typically involve the submission of two pieces of information to prove an identity, a unique identifi er (eg UserID or a user’s fi ngerprint) and a corresponding authenticator (eg a password or digital certifi cate).
Access control mechanisms are often classifi ed in terms of the factors that are used to authenticate users, and are based upon something the user:
• knows (eg a password)
• has (eg physical token, smartcard or digital certifi cate)
• is or does (eg biometrics such as fi ngerprint, iris pattern, hand geometry, voice characteristic or writing style).
CF6.3.2
Access control mechanisms should be based on: a) the results of a risk assessment
b) assessing the criticality of information being accessed
c) determining the access control requirements (eg usability, resistance to attack and budgetary constraints) d) evaluating access control mechanism functionality
e) considering additional selection factors (eg vendor preference or integration with a physical security system) f) selecting the most suitable access control mechanism (eg following a comparison of assessed access control
mechanisms).
Organisations often choose to combine more than one access control mechanism (eg passwords and tokens or passwords and biometrics) to provide stronger authentication.
CF6.3.3
The use of access control mechanisms should be based on:
a) usability (eg simplicity, reliability, speed of use and ease of user administration)
b) resistance to attack (eg brute force, social engineering, malware and theft of authentication equipment) c) budgetary constraints (eg licensing, integration, provisioning and training, and maintenance).
CF6.3.4
The functionality of potential access control mechanisms should be subject to an evaluation to determine the degree to which they will meet access requirements. The evaluation should take into account:
a) the strength of existing controls that infl uence the suitability of access control mechanisms (eg identity and access management, physical security or system hardening)
b) special factors that may infl uence the choice of access control mechanism (eg vendor preference, integration with physical security or regulatory pressures).
CONTROL FRAMEWORK
www.securityforum.org
CF
FUNDAMENTAL
CF6.3 2011 Standard of Good Practice • Copyright © 2011 Information Security Forum
CF6.3
Access Control Mechanisms
(continued)CF6.3.5
Access control mechanisms should be provided using approved hardware / software (eg ‘pictures and patterns’ software, physical tokens, fi ngerprint readers and iris scanners).
Related areas / topics
CF5.3 Customer Connections
ISF resources
Identity and Access Management (IAM): Workshop Report
Managing access in a changing world: Digest Report
CONTROL FRAMEWORK
www.securityforum.org
CF
Copyright © 2011 Information Security Forum • 2011 Standard of Good Practice CF6.4
SPECIALISED
CF6.4
Access Control Mechanisms – Password
Principle
Target environments (eg business applications, computer systems or network devices) that areconfi gured with access control mechanisms based on passwords should require users to provide a valid UserID and password before they can gain access to them.