1399
Control 1400
An access control policy shall be established, documented and periodically reviewed/updated 1401
based on business, information, and IACS security requirements. 1402
The access control policy shall be: (i) a formal, documented, access control policy that addresses 1403
purpose, scope, roles, responsibilities, management commitment, coordination among 1404
organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the 1405
implementation of the access control policy and associated access controls. 1406
The access control policy, processes, and procedures shall be consistent with applicable laws, 1407
directives, policies, regulations, standards, and guidance and in alignment with the security 1408
requirements of the IACS(s). The access control policy can be included as part of the general 1409
information security policy for the organization. Access control procedures can be developed for 1410
the security program in general, and for a particular IACS, when required. 1411
Implementation guidance 1412
Asset owners should determine appropriate access control rules, access rights and restrictions for 1413
specific user roles towards their assets, with the amount of detail and the strictness of the controls 1414
reflecting the associated information security risks. 1415
Access controls are both logical and physical (see 11) and these should be considered together. 1416
Users and service providers should be given a clear statement of the business requirements to be 1417
met by access controls. 1418
Access control is the method of controlling who or what resources can access premises and 1419
systems and what type of access is permitted. There are three key aspects associated with access 1420
control: account management & administration, identification & authentication and use control & 1421
authorization. All three aspects must work together to establish a sound and secure access control 1422
strategy. 1423
a) Account management & administration – Account management and administration is the 1424
method associated with establishing, granting and revoking access accounts and 1425
maintaining the permissions and privileges provided under these accounts to access 1426
specific resources and functions on the physical premises, network or system. Access 1427
accounts should be function or role-based and may be defined for individuals, groups of 1428
individuals functioning as a crew or for devices providing a function. 1429
b) Identification & authentication – Identification and authentication positively identifies 1430
network users, hosts, applications, services and resources for computerized transaction so 1431
that they can be given the rights and responsibilities associated with the accounts they 1432
have been granted under account administration. There are several types of authentication 1433
strategies and each has varying degrees of strength. Strong authentication methods are 1434
ones that are quite accurate in positively identifying the user. Weak authentication methods 1435
are ones that can be easily defeated to provide unwanted access to information. Physical 1436
location of the user may have a significant impact on the risk of accessing the IACS 1437
c) Use control & authorization – Use control and authorization grants access privileges to 1438
resources upon successful identification and authentication of a user’s access account. The 1439
privileges granted are determined by the account configuration set up during the account 1440
management and administration step in the business process. 1441
Permission to access systems or areas utilizing these three aspects of access control is based on 1442
specific needs as determined by management policies. Access to sensitive systems and IACS 1443
devices can be controlled by logical means (rules that grant or deny access to known users based 1444
on their roles), physical devices (locks, cameras, and other controls that restrict access to the 1445
IACS), or both. The policy should take account of the following: 1446 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
a) security requirements of business and IACS applications; 1447
b) policies for information dissemination and authorization, e.g. the need-to-know principle 1448
and information security levels and classification of information and the IACS (see 8.2); 1449
c) consistency between the access rights and information and IACS classification policies of 1450
different systems and networks; 1451
d) relevant legislation and any contractual obligations regarding limitation of access to data or 1452
services or the IACS (see 18.1); 1453
e) management of access rights in a distributed and networked environment which recognizes 1454
all systems and types of connections available; 1455
f) segregation of access control roles, e.g. access request, access authorization, access 1456
administration; 1457
g) requirements for formal authorization of access requests (see 9.2.1); 1458
h) requirements for periodic review of access rights (see 9.2.5); 1459
i) removal of access rights (see 9.2.6); 1460
j) archiving of records of all significant events concerning the use and management of user 1461
identities and secret authentication information; 1462
k) roles with privileged access (see 9.2.3). 1463
l) permission to access IACS devices can be logical (rules that grant or deny access to known 1464
users based on their roles), physical (locks, cameras, and other controls that restrict access 1465
to the IACS), or both. 1466
m) In critical environments , multiple authorization methods should be employed to limit access 1467
to the IACS; 1468
Other information 1469
Care should be taken when specifying access control rules to consider: 1470
a) establishing rules based on the premise “Everything is generally forbidden unless expressly 1471
permitted” rather than the weaker rule “Everything is generally permitted unless expressly 1472
forbidden”; 1473
b) changes in information labels (see 8.2.2) that are initiated automatically by information 1474
processing facilities and those initiated at the discretion of a user; 1475
c) changes in user permissions that are initiated automatically by the information system and 1476
those initiated by an administrator; 1477
d) rules which require specific approval before enactment and those which do not. 1478
Access control rules should be supported by formal procedures (see 9.2, 9.3, 9.4) and defined 1479
responsibilities (see 6.1.1, 9.2, 15.1). 1480
Role based access control is an approach used successfully by many organizations to link access 1481
rights with business roles. 1482
Two of the frequent principles directing the access control policy are: 1483
a) Need-to-know: you are only granted access to the information you need to perform your 1484
tasks (different tasks/roles mean different need-to-know and hence different access profile); 1485
b) Need to use: you are only granted access to the information processing facilities and IACS 1486
(IT equipment, IACS equipment, processes, systems, applications, procedures, rooms) you 1487
need to perform your task/job/role. 1488 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
9.1.2 Access to networks and network services