Overview of the Access Control Policy
The Access Control Policy exists to provide a structured framework for managing access to an organization's data and systems. It is designed to protect sensitive information from unauthorized access while allowing users to get the information they need to do their jobs effectively. The policy addresses various aspects of access control, from user access management to physical asset protection, and outlines the procedures and responsibilities for ensuring secure access to organizational resources.
Key Points of the Access Control Policy
User Access Management Formalize the process of managing user access to critical data and systems, ensuring alignment with job responsibilities.
Allowed Account Types Identify and categorize account types that are permitted to access critical data or systems.
Role-Based Access Controls Implement access controls that map users to roles and roles to system functions, adhering to the principle of least privilege.
Role Membership Establish conditions for membership in roles or groups that provide access to critical data or systems.
Rules and Rights Consideration Define access control rules and rights for users or groups based on need-to-know and least privilege principles.
Acceptable Use Agreements Maintain agreements that outline the conditions of access to critical data and systems, requiring user acknowledgment.
Acceptable Use Acknowledgment Ensure users understand and agree to the conditions of their access before granting it.
Login Banners Display terms and conditions of access upon login, requiring user acceptance.
Least Privileged Limit access to what is minimally necessary for job responsibilities.
Default "Deny-All" Apply a default deny-all setting to all system components handling sensitive data.
File System Access Disable all file system access not explicitly required for job responsibilities.
System Outputs Ensure outputs from critical systems are sent only to authorized locations and contain minimal necessary information.
Shared Accounts Prohibit the use of group, shared, or generic accounts for accessing critical data or systems.
Default System Accounts Remove, disable, or secure unnecessary default system accounts.
Policy Exceptions Document and approve any exceptions to shared account policies, implementing additional controls.
Shared Account Approval Authorize the use of special account types by appropriate IT management.
Shared Account Credentials Modify or reset credentials for shared accounts when users change job responsibilities or are terminated.
Identification and Authentication Verify user identity and authorization before granting access to critical data or systems.
External Users Uniquely identify and authenticate external users before allowing access.
Help Desk User Identification Confirm user identity before help desk transactions involving critical data or systems.
Hardware Token User Identification Verify the identity of users in person before issuing hardware tokens.
Multi-Factor User Identification Verify the identity of users in person before issuing multi-factor authentication tokens.
Unique IDs Assign a unique ID to each user to trace activities to responsible individuals.
Additional Authentication Methods Employ additional methods like biometrics or token devices for user authentication.
Multi-Factor for Remote Access Use multi-factor authentication for all remote access to critical systems and data.
PKI-Based Authentication Validate certificates and enforce access to private keys for PKI-based authentication.
User Provisioning and Deprovisioning Formally authorize and control physical and logical access to critical data and systems.
System Administrator Notification Notify system administrators of changes in user access requirements.
Automated Mechanisms Use automated mechanisms to notify relevant personnel upon user termination.
Revocation or Reduction of Access Rights Revoke or reduce access rights before employment or workforce arrangement changes.
Access Changes After Notification Modify or revoke access within 24-hours of notification of a change in user access requirements.
High Risk Terminations Immediately revoke access for high-risk terminations and escort the individual from the premises if necessary.
Privileged Access Restrict access to privileged functions and security-relevant information to appropriate personnel.
Unique IDs for Privileged Access Assign unique names to accounts used for privileged functions.
Privileged Access Authorization Formally authorize access to security-relevant functions and information.
Separate Accounts Use separate accounts for privileged functions and normal business activity.
Technical Controls Implement technical controls to prevent non-privileged users from executing privileged functions.
Virtualized Systems Restrict access to management functions of virtualized systems to appropriate personnel.
Software Implementation Develop software to avoid the need for elevated privileges or system routines that grant privileges.
Remote Access Control and monitor all methods of remote access to critical data or systems.
Remote User Identification and Authentication Identify and authenticate remote users before allowing access over public networks.
Strong Authentication Use strong authentication methods for all external network connections.
Encryption Encrypt all remote access to critical data or systems.
Remote Administration Employ increased security measures for remote administration sessions.
Logging Log all remote access to critical data or systems.
Remote Access Review Monitor and review all remote connections quarterly to detect unauthorized access.
Third-Party Remote Access Enable third-party remote access only when in use and disable when not.
Node Authentication Implement secure encryption methods for node authentication of remote users.
Copy and Paste in Remote Sessions Disable default cut, copy, paste, move, print, and storage functions during remote sessions.
Unencrypted Dial-Up Connections Obtain written approval from the CIO for unencrypted dial-up connections.
Dial-Up Callback Implement a callback capability with re-authentication for dial-up connections.
Third-Party Access Assess and obtain agreement from third parties to comply with security requirements before granting access.
Minimally Necessary Limit third-party access to what is necessary for their job responsibilities.
User Discretion Assist users in determining the appropriate level of access for business partners.
User Access Review Review all active accounts with access to critical data or systems for appropriateness.
Account Listings Generate a current listing of all active accounts for the access review process.
Privileged Access Review Review privileged access accounts every 60 days for appropriateness.
Modification of Access Modify access rights according to access review instructions immediately upon completion.
Access Configuration Management Disable or remove unnecessary functions on servers or network systems.
Annual System Review Conduct an annual review to identify and disable unnecessary or non-secure services.
Peer-to-Peer Networking Protocols Disable unnecessary or non-secure networking protocols prior to implementation.
Inactivity Timeout Implement a timeout for user sessions after a period of inactivity.
Inactivity Timeout for Public Systems Apply a shorter inactivity timeout for publicly accessible systems.
BYOD Lockout Configure devices to require an automatic lockout screen.
Sensitive Data Encryption Encrypt sensitive data at rest, with exceptions documented and approved.
Wireless Authentication Authenticate both users and devices for wireless access to critical data or systems.
Application to Application Access Control and secure access rights that transfer between applications.
Blacklisted Software Maintain and review a list of unauthorized software applications annually.
Dial-Up Capabilities Investigate network equipment for dial-up capabilities and prevent unauthorized access.
Multifactor Authentication for Network Access Implement multifactor authentication for network access.
Multifactor Authentication for Access to Privileged Accounts Use multifactor authentication for local access to privileged accounts.
Replay-Resistant Authentication Mechanisms Employ mechanisms like nonce or one-time passwords for privileged account network access.
Hardware Token-Based Authentication Satisfy NIST SP 800-63 Electronic Guidelines for hardware token-based authentication.
Automated Mechanisms Support account management with automated mechanisms for disabling accounts.
Physical Asset Protection Secure critical system storage and restrict access to authorized personnel.
Sensitive Documents Protect sensitive information from unauthorized access.
Mail Services Ensure sensitive information is protected when using mail services.
Electronic Signatures Verify user identity before establishing electronic signatures.
Unique Electronic Signatures Ensure electronic signatures are unique and not reusable or reassignable.
Biometric Electronic Signatures Design biometric signatures to prevent manipulation by unauthorized individuals.
Handwritten Signatures Link electronic and handwritten signatures to their corresponding records.
Human-Readable Format Provide information on electronic signatures in a format that is human-readable.
In conclusion, the Access Control Policy is a comprehensive document that outlines the necessary steps and procedures to ensure secure and appropriate access to an organization's critical data and systems. It is a vital tool for protecting against unauthorized access and potential security breaches.
For those interested in implementing an Access Control Policy, we have a template available for purchase that can be tailored to your organization's specific needs.