ACCESS CONTROL

avatar
Created by
Yusuf M

Cards (42)

  • THE CONTROLS: ACCESS CONTROL:
    • POLICY AND PROCEDURES Control:
    1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    2. [Selection (one or more): Organization-level; Mission/business process-level; System- level] access control policy that:
    3. (a)  Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    4. (b)  Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • THE CONTROLS: ACCESS CONTROL:
    • POLICY AND PROCEDURES Control:
    • Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
    • Review and update the current access control:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment:organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment:organization-defined events].
  • ACCESS CONTROL:
    • Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. 
  • ACCESS CONTROL:
    • Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations.
  • ACCESS CONTROL:
    • Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.
  • ACCESS CONTROL:
    • Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
  • ACCOUNT MANAGEMENT:
    1. Define and document the types of accounts allowed and specifically prohibited for use within the system;
    2. Assign account managers;
    3. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
    4. Specify:
    5. Authorized users of the system;
    6. Group and role membership; and
    7. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
  • ACCOUNT MANAGEMENT
    1. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
    2. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
    3. Monitor the use of accounts;
  • ACCOUNT MANAGEMENT
    1. Notify account managers and [Assignment: organization-defined personnel or roles] within:
    2. [Assignment: organization-defined time period] when accounts are no longer required;
    3. [Assignment: organization-defined time period] when users are terminated or transferred; and
    4. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
  • ACCOUNT MANAGEMENT:
    1. Authorize access to the system based on:
    2. A valid access authorization;
    3. Intended system usage; and
    4. [Assignment: organization-defined attributes (as required)];
    5. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
    6. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
    7. Align account management processes with personnel termination and transfer processes.
  • ACCOUNT MANAGEMENT:
    • Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access.
  • ACCOUNT MANAGEMENT:
    • Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies.
  • Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. 
  • ACCOUNT MANAGEMENT:
    • Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes.
  • ACCOUNT MANAGEMENT:
    • Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated.
  • ACCOUNT MANAGEMENT:
    • Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. 
  • ACCOUNT MANAGEMENT 
    Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
    • Discussion: Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.
  • ACCOUNT MANAGEMENT
    Disable accounts within [Assignment: organization-defined time period] when the accounts:
    1. (a)  Have expired;
    2. (b)  Are no longer associated with a user or individual;
    3. (c)  Are in violation of organizational policy; or
    4. (d)  Have been inactive for [Assignment: organization-defined time period].
    • Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.
  • ACCOUNT MANAGEMENT
    Automatically audit account creation, modification, enabling, disabling, and removal actions.
    • Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.
  • ACCOUNT MANAGEMENT
    Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].
    • Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.
  • ACCOUNT MANAGEMENT
    Implement [Assignment: organization-defined dynamic privilege management capabilities].
    • Dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations.
  • ACCOUNT MANAGEMENT
    Implement [Assignment: organization-defined dynamic privilege management capabilities].
    • An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles.
  • ACCOUNT MANAGEMENT
    Implement [Assignment: organization-defined dynamic privilege management capabilities].
    • Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.
  • ACCOUNT MANAGEMENT | PRIVILEGED USER ACCOUNTS
    1. (a)  Establish and administer privileged user accounts in accordance with [Selection: a role- based access scheme; an attribute-based access scheme];
    2. (b)  Monitor privileged role or attribute assignments;
    3. (c)  Monitor changes to roles or attributes; and
    4. (d)  Revoke access when privileged role or attribute assignments are no longer appropriate.
  • ACCOUNT MANAGEMENT | PRIVILEGED USER ACCOUNTS
    • Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
  • ACCOUNT MANAGEMENT | Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically:
    • Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.
  • ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS: Only permit the use of shared and group accounts that meet [Assignment: organization- defined conditions for establishing shared and group accounts]:
    • Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.
  • ACCOUNT MANAGEMENT | USAGE CONDITIONS:
    • Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.
  • ACCOUNT MANAGEMENT | ACCOUNT MONITORING FOR ATYPICAL USAGE:
    1. (a)  Monitor system accounts for [Assignment: organization-defined atypical usage]; and
    2. (b)  Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles].
  • ACCOUNT MANAGEMENT | ACCOUNT MONITORING FOR ATYPICAL USAGE
    • Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals.
  • ACCOUNT MANAGEMENT | ACCOUNT MONITORING FOR ATYPICAL USAGE
    • Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
  • ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS
    • Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].
  • ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS:
    • Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation.
  • ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS:
    • Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.
  • ACCESS ENFORCEMENT(AC-3):
    • Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
  • ACCESS ENFORCEMENT(AC-3):
    • Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. 
  • ACCESS ENFORCEMENT | DUAL AUTHORIZATION
    • Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
  • ACCESS ENFORCEMENT | DUAL AUTHORIZATION
    • Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.
  • ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL:
    • Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
    • (a)  Is uniformly enforced across the covered subjects and objects within the system;
    • (b)  Specifies that a subject that has been granted access to information is constrained from doing any of the following;
    1. (1)  Passing the information to unauthorized subjects or objects;
    2. (2)  Granting its privileges to other subjects;
  • ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL:
    • Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
    1. (3)  Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
    2. (4)  Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and