II.C.15 Logical Security
Management should have an effective process to administer logical security access rights for the network, operating systems, applications, databases, and network devices, which should include the following:
- Assigning users and devices the access required to perform required functions.
- Updating access rights based on personnel or system changes.
- Reviewing users' access rights at an appropriate frequency based on the risk to the application or system.
- Designing appropriate acceptable-use policies and requiring users to agree to them.
- Controlling privileged access.
- Changing or disabling default user accounts and passwords.
System devices, programs, and data are system resources. Because users may access these resources through the institution's network, management should identify and restrict logical access to all system resources to the minimum required for legitimate and approved work activities, according to the principle of least privilege. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a potential loss of confidentiality, integrity, and availability. The institution's logical security policy and procedures should address access rights and how those rights are to be administered. Management and system administrators should regularly evaluate information system access.
Logical user access rights administration consists of three processes:
- Enrolling new users to the system.
- Authorizing modifications to user access and deletions.
- Monitoring access rights granted to each user, including periodic review and validation of access rights.
The enrollment process establishes the user's identity and anticipated business needs for information and systems. Management should identify and evaluate all users, including new employees, IT outsourcing relationships, and contractors. The assignment of access rights is typically performed by the employee's manager and the application or data owners responsible for each accessed resource, with documented approval. The assignment of rights may also be established by the employee's role or group membership, which confers certain user access rights.
Management should have an authorization process to enable the employee's manager and the application or data owners to modify or delete existing user access rights to information and systems. The authorization process should include controls to verify that proper authorizations were granted or removed. Modifications to access rights should occur when an individual's business needs change. Job changes can result in an expansion, reduction, or deletion of needed access rights. Job changes that could trigger a modification or deletion of access rights include transfers, mandatory leave, resignations, and terminations. The institution should promptly review, and modify as needed, access rights for all users who experience job changes, particularly those with privileged access, remote access privileges, and access to customer information.
As part of the user access rights monitoring process, management should perform regular reviews to validate user access. Reviews should test whether access rights continue to be appropriate or whether they should be modified or deleted. Management should review access rights on a schedule commensurate with risk.
Logical user access rights administration also constrains user activities through an acceptable use policy that details permitted system uses, user activities, and the consequences of noncompliance. Management should maintain an acceptable use policy, and employees should be required to acknowledge and agree in writing to the policy. When implemented correctly, an acceptable use policy is a key control for user awareness and administrative policing of system activities. Elements of an acceptable use policy can include the following:
- Specific access devices that can be used to access the network.
- Hardware and software changes the user can make to his or her access device.
- Purpose and scope of network activity.
- Permitted network services.
- Information that can or cannot be transmitted, and authorized transmission methods.
- Bans on attempts to break into accounts, crack passwords, or disrupt service.
- Responsibilities for secure operation.
- Consequences of noncompliance.
Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls, and may include system administrator access. All individuals who are granted privileged access should have the appropriate training commensurate with the risk and complexity of the systems and information they access. Prudent practices for controlling privileged access include the following:
- Identifying each privilege associated with each system resource.
- Implementing a process to allocate privileges on a need-to-use or an event-by-event basis.
- Documenting the granting and extent of privileged access.
- Assigning privileges to a unique user ID apart from the one used for normal business use.
- Prohibiting shared privileged user accounts.
- Logging and independent monitoring of the use of privileged access.
- Reviewing, by an independent party, privileged access rights and allocations at appropriate intervals.
Access rights to new software and hardware present a different problem. Typically, hardware and software are shipped with default users and at least one default user has privileged access. Lists of default accounts and passwords are readily available and can enable anyone with access to the system to obtain privileged access. These passwords should be changed, and the accounts should be disabled. Alternately, if these accounts are not disabled, access should be monitored closely.
II.C.14 Supply Chain
II.C.15(a) Operating System Access