II.C.15(b) Application Access
Sensitive or mission-critical applications should incorporate appropriate access controls that restrict which functions are available to users and other applications. These access controls allow authorized users and other applications to interface with related databases. Some security software programs integrate access control between the operating system and some applications. Such software is useful when applications do not have their own access controls or when the institution uses security software instead of the application's native access controls. Management should understand the functionality and vulnerabilities of the application access control solutions and consider those issues in the risk management process.
Management should implement effective application access controls by doing the following:
- Implementing a robust authenticationStronger authentication and layered security methods, such as the use of tokens, public-key infrastructure-based systems, or out-of-band verification coupled with a robust identity and access management process, can reduce the potential for unauthorized access. method consistent with the criticality and sensitivity of the application.
- Easing the administrative burden of managing application access rights by using group profiles. Managing access rights individually can lead to inconsistent or inappropriate access levels.
- Periodically reviewing and approving the application access assigned to users for appropriateness.
- Communicating and enforcing the responsibilities of programmers, security administrators, and application owners for maintaining effective application access control.
- Setting time-of-day or terminal limitations for some applications or for more sensitive functions within an application.
- Logging access and events, defining alerts for significant events, and developing processes to monitor and respond to anomalies and alerts.
II.C.15(a) Operating System Access
II.C.15(c) Remote Access