Access Control Best Practices

Why is access control important?

Without proper access control, unauthorized users could obtain confidential information and misuse it, and authorized users could fail to follow system instructions to protect the data. To mitigate these threats, the organization should establish access controls that limit access to sensitive systems and information to the minimum necessary level to support organizational service delivery or operations.

What are some access control best practices?

Adequate access control policies and procedures should be implemented for information systems that maintain sensitive information assets in such a way as to allow access only to those personnel that have been granted access rights in accordance with the access control policies and procedures. Logical and physical access control rules and rights for each user or group of users for each application should be taken into consideration. Standard user access profiles (roles) should be clearly defined based on need-to-know, need-to-share, least privileges, and other applicable requirements.

The organization should ensure that redundant or duplicate user IDs are not issued to other users, and that all users are uniquely identified and authenticated for both local and remote access to information systems.

Non-employees users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization’s information systems, should be uniquely identified and authenticated.

The access control policies and procedures should be communicated to all users, and user’s identity should be verified prior to granting and establishing the user access. Access authorization processes should address requests for access, changes to access, removal of access, and emergency access. These access authorization processes should be segregated among multiple individuals or groups.

Inactive accounts should be removed/disabled. Users and service providers are given a clear statement of controls needed to protect access to data or services and the business requirements around these controls. Users should be given a written statement of their access rights that they are required to sign for and accept.

A role-based approach is used to establish and administer privileged user accounts. Actions are taken when privileged roles assignments are no longer appropriate.

Role-based access control is used to establish and administer privileged user accounts, including application-specific privileged user accounts based on the responsibilities associated with the use of each application, and such roles should be monitored.

How privileged accounts be managed?

Users that are authorized to perform privileged functions should be provided separate accounts for this specific purpose. For instance, security/system administrators should have a general account and a privileged account issued to them. These accounts should be utilized only for their respective specific purpose. All users access privileged services should be maintained in a single role and such privileged access should be minimized.

Access to privileged functions and all security-relevant information should be restricted. Authorization to privileged accounts on information systems is limited to a pre-defined subset of users.

If possible, development and use programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. Automated tools should be utilized to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers are authorized by management.

How often should you review privileged accounts?

Privileged accounts (e.g., administrator groups, root accounts, and other system-related accounts) should be reviewed on demand, and at least once every fourteen (14) days to ensure unauthorized accounts have not been created. Privileged user roles associated with applications are inspected every thirty (30) days.

Third-party or vendor access control

Physical or logical access is only given to suppliers for support purposes when necessary, with management approval, and such access is monitored. Employees, contractors, or third party users that have been terminated or had a change in their employment should have physical and logical access removed or modified within twenty-four (24) hours upon notification. In instances of increased risk, this access should be immediately removed or modified.

Emergency access accounts

Automated mechanisms to support the management (provisioning, de-provisioning) of user accounts on systems should be implemented and utilized to include the disabling of emergency accounts within twenty-four (24) hours and temporary accounts with a fixed duration not to exceed 365 days. Access controls should be consistently managed for all systems and applications within a networked or distributed environment based on the classification and risks to the information stored, processed, or transmitted within that environment. Detection mechanisms (manual or automated) should be authorized and implemented for accessing, modifying, and using information systems.

“Business need-to-know” Access

The least amount of access to data should be granted and provided on a “business need-to-know” basis. Management recognizes that the risk exposure varies between different classes of privileges and users assigned to those classes. Where a class of privileges and users in those classes present greater risk exposure, the organization should design and implement correspondingly stronger systems of access controls.

How often should all accounts be reviewed?

Management should be committed to testing and monitoring programs designed to ascertain whether the systems of controls and their component parts are functioning as intended, and whether they afford an acceptable level of protection as time and technology advance. At a minimum, management should review access granting and access control effectiveness on a semi-annual basis.

Controlling Access to Source Code

Access to program source code and associated items will be strictly controlled in order to prevent the introduction of unauthorized functionality and to avoid unintentional changes. Strict requirements will be implemented to control access to program source libraries in order to reduce potential corruption of computer programs.

Controlling the operating system

And finally, systems should be restricted from booting to removable media by disabling removable media booting and configuring BIOS password protection. Systems should boot to pre-defined system devices containing authorized operating systems.

Access control procedures

Each user is provided access to systems and data on a “business need-to-know” basis. Safeguards, such as role-based access control, context-based access control, mandatory access control, or discretionary access control, will be used as appropriate to control access to sensitive information.

Here’s an example of the access control procedures, step-by-step:

  1. Each user should submit a Systems Access Request Form approved by the user’s supervisor.
  2. Access should be granted by the IT department to specific applications, menus, data, and services as approved on the form.
  3. Human Resources (HR) department should verify that a Statement of Understanding or employee handbook has been signed by each user prior to granting access.
  4. The IT department should ensure that all Authentication and Authorization systems and access control system for the system components storing, processing, or transmitting sensitive information enforce default “deny all” principles for access control. That is, all systems will first deny access until configured to “allow” access based on need-to-know.
  5. The ability of users to connect to the internal network is restricted using a deny-by default and allow-by-exception policy at managed interfaces and based on the requirements to access critical applications.
  6. File system access should be disabled unless explicitly required by authorized users only, which are permitted access required for the performance of their job duties.

For more information and details on how we can help, contact us today!

    Discover more from Information Security Program

    Subscribe now to keep reading and get access to the full archive.

    Continue reading