Access control (ISO)

Business requirements for access control

The objective of this category is to control access to information, information processing facilities, and business processes. 

Access control policy • An access control policy should be established, documented and periodically reviewed, based on business needs and external requirements.  Access control policy and associated controls should take account of:

  • security issues for particular data systems, given business needs, anticipated threats and vulnerabilities;
  • security issues for particular types of data, given business needs, anticipated threats and vulnerabilities;
  • all relevant legislative, regulatory and certificatory requirements;
  • relevant contractual obligations or service level agreements;
  • other organizational policies for information access, use and disclosure; and
  • consistency among such policies across the organization's systems and networks;

Access control policies include:

  • clearly stated rules and rights based on user profiles;
  • consistent management of access rights across a distributed/networked environment;
  • an appropriate mix of logical (technical) and physical access controls;
  • segregation of access control roles -- e.g., access request, access authorization, access administration;
  • requirements for formal authorization of access requests ("provisioning"); and
  • requirements for authorization and timely removal of access rights ("de-provisioning"). 

Authorities: ISO-27002:2005 11.1.1.; HIPAA 164.308(a)(4)(B-C);

User access management

This category aims to ensure authorized user access, and prevent unauthorized access, to information and information systems.  Includes:

  • formal procedures to control the allocation of access rights;
  • procedures cover all stages in the life-cycle of user access, from provisioning to de-provisioning;
  • special attention to control of privileged ("super-user") access rights; and
  • appropriate technical measures for identification and authentication to ensure compliance with defined access rights.

Authorities: HIPAA 164.312(d)

User registration • Formal user registration and de-registration procedures should be implemented, for granting and revoking access to all information systems and services.  Control includes:

  • assignment of unique user-IDs to each user;
  • documentation of approval from data system owner for each user's access;
  • confirmation by supervisor or other personnel that each user's access is consistent with business purposes and other security policy controls (e.g., segregation of duties);
  • giving each user a written statement of their access rights and responsibilities;
  • requiring users to sign statements indicating they understand the conditions of access (see also "terms and conditions of employment" and "confidentiality agreements" policies);
  • ensuring service providers do not grant access until all authorization procedures are completed;
  • maintaining a current record of all users authorized to use a particular system or service;
  • immediately changing/eliminating access rights for users who have changed roles or left the organization;
  • checking for and removing redundant or apparently unused user-IDs.

Authorities: ISO-27002:2005 11.2.1.; HIPAA 164.308(a)(4)(ii)(B-C); HIPAA 164.312(a)(2)(i); PCI-DSS 8;

Privilege management • Allocation and use of access privileges should be restricted and controlled.  Control includes:

  • development of privilege profiles for each system, based on intersection of user profiles and system resources;
  • granting of privileges based on these standard profiles when possible;
  • a formal authorization process for all privileges;
  • maintaining a current record of privileges granted;

Authorities: ISO-27002:2005 11.2.2.; HIPAA 164.308(a)(4)(ii)(B-C);

User password management • Allocation of passwords should be controlled through a formal management process.  Control includes:

  • requiring users to sign a statement indicating they will keep their individual passwords confidential and, if applicable, any group passwords solely within the group;
  • secure methods for creating and distributing temporary, initial-use passwords;
  • forcing users to change any temporary, initial-use password;
  • development of procedures to verify a user's identity prior to providing a replacement password ("password reset");
  • prohibiting "loaning" of passwords; 
  • prohibiting storage of passwords on computer systems in unprotected form; and
  • prohibiting use of default vendor passwords, where applicable.

Authorities: ISO-27002:2005 11.2.3.

User access token management • Allocation of access tokens, such as key-cards, should be controlled through a formal management process.  Control includes:

  • requiring users to sign a statement indicating they will keep their access tokens secure;
  • secure methods for creating and distributing tokens;
  • use of two-factor tokens (token plus PIN) where appropriate and technically feasible;
  • development of procedures to verify a user's identity prior to providing a replacement token; and
  • prohibiting "loaning" of tokens.

Authorities: ISO-27002:2005 11.2.3. (adapted)

Review of user access rights • Each user's access rights should be periodically reviewed using a formal process.  Control includes:

  • review at regular intervals, and after any status change (promotion, demotion, transfer, termination);
  • more frequent review of privileged ("super user") access rights;

Authorities: ISO-27002:2005 11.2.4.; HIPAA 164.308(a)(4)(ii)(B-C);

User responsibilities

This category aims to prevent unauthorized access to, and compromise or theft of, information and information systems. It includes user awareness of:

  • responsibilities for maintaining authentication security, particularly regarding password and token safety
  • responsibilities for securing computers and other office equipment.

Password use • Users should follow good security practices in the selection and use of passwords.  Control includes advising/requiring users to:

  • keep passwords confidential and not "share" them;
  • avoid keeping a paper or electronic record of passwords, unless this can be done securely;
  • change a password when there is any suspicion that it has been compromised, and report the suspicion;
  • select "strong" passwords that are resistant to dictionary, brute force or other standard attacks;
  • change passwords periodically;
  • change a temporary password on first log-on;
  • avoid storing passwords in automated log-on processes;
  • not use the same password for business and non-business purposes;
  • use the same password for multiple systems/services only where a reasonable level of security can be assured for each.

Authorities: ISO-27002:2005 11.3.1.; HIPAA 164.308(a)(5);

Access token use • Users should follow good security practices in the use of tokens.  Control includes advising/requiring users to:

  • keep tokens secure and not "share" them;
  • avoid keeping a paper or electronic record of PIN associated with a two-factor token; and
  • report when a token is lost or there is any suspicion that it has been compromised.

Authorities: ISO-27002:2005 11.3.1. (adapted)

Monitoring of activity history • Users should monitor password/token activity history where available.  Control includes advising/requiring users to:

  • observe and report discrepancies in "last successful login" and "last unsuccessful login" information, when it is available; and
  • observe and report discrepancies in date/time information for all other activities which have timestamps, such as file accesses or modifications.

Authorities: HIPAA 164.308(a)(5);

Appropriate use of user equipment  • Users should observe appropriate physical and technical practices with respect to the equipment assigned to them.  Control includes:

  • requirement to limit use to to performing appropriate functions in an appropriate manner; and
  • user training in appropriate functions and use; and
  • monitoring of user behavior through appropriate technical means.

Authorities: HIPAA 164.310(b)

Unattended user equipment • Users should ensure that unattended computing equipment has appropriate protection.  Unattended equipment controls include:

  • terminating active (logged-in) sessions before a device is left unattended, unless it can be securely "locked" (e.g., with a password-protected screensaver);
  • physically securing devices, or the area in which a device is located, with a key-lock or equivalent if a device will be unattended.

Authorities: ISO-27002:2005 11.3.2.

"Clear desk - clear screen" policy • Users should ensure that desks and other work areas are kept cleared of papers and any storage media when unattended.  Computer screens should be kept clear of sensitive information when unattended. 

Authorities: ISO-27002:2005 11.3.3.

"Clear equipment" policy • Photocopiers, fax machines and other office equipment should be kept cleared of papers and any storage media when unattended.

Authorities: ISO-27002:2005 11.3.3.

Network access control

Control objective: To prevent unauthorized access to network services.

Policy on use of network services • Users should only be provided with access to the services that they have been specifically authorized to use.  Control includes:

  • authorization procedures for determining who is allowed to access to which networks and network services, consistent with other access rights; and
  • policies on deployment of technical controls to limit network connections.

Authorities: ISO-27002:2005 11.4.1.

User authentication for external connections • Appropriate authentication methods should be used to control remote access to the network. 

Authorities: ISO-27002:2005 11.4.2.

Equipment/location identification in networks • Where appropriate and technically feasible, access to the network should be limited to identified devices or locations.

Authorities: ISO-27002:2005 11.4.3.

Remote diagnostic and configuration port protection • Physical and logical access to diagnostic and configuration ports should be appropriately controlled.  Control includes:

  • physical security for on-site diagnostic and configuration ports;
  • technical security for remote diagnostic and configuration ports; and
  • disabling/removing ports, services and similar facilities which are not required for business functionality. 

Authorities: ISO-27002:2005 11.4.4.

Segregation in networks • Where appropriate and technically feasible, groups of information services, users and services should be segregated on networks.  Control includes:

  • separation into logical domains, each protected by a defined security perimeter; and
  • secure gateways between/among logical domains.

Authorities: ISO-27002:2005 11.4.5.

Network connection control • Capabilities of users to connect to the network should be appropriately restricted, consistent with access control policies and applications requirements.  Control includes:

  • filtering by connection type (e.g., messaging, email, file transfer, interactive access, applications access).

Authorities: ISO-27002:2005 11.4.6.

Network routing control • Routing controls should be implemented to ensure that computer connections and information flows do not breach the access control policy of the business applications.  Control includes:

  • positive source and destination address checking; and
  • routing limitations based on the access control policy.

Authorities: ISO-27002:2005 11.4.7.

Operating system access control

Control objective: To prevent unauthorized access to operating systems, and the data and services thereof. 

Controls should be implemented to restrict data system access to authorized users, by requiring authentication of authorized users in accordance with the defined access control policy.  Controls include:

  • providing mechanisms for authentication by knowledge-, token- and/or biometric-factor methods as appropriate;
  • recording successful and failed system authentication attempts;
  • recording the use of special system privileges; and 
  • issuing alarms when access security controls are breached.

Secure log-on procedures • Access to data systems should be controlled by secure log-on procedures.  Control includes:

  • display of a general notice warning about authorized and unauthorized use;
  • no display of system or application identifiers until successful log-on;
  • no display of help messages prior to successful log-on that could aid an unauthorized user;
  • validation or rejection of log-on only on completion of all input data (e.g., both user-ID and password);
  • no display of passwords as entered (e.g., hide with symbols);
  • no transmission of passwords in clear text;
  • limits on the number of unsuccessful log-on attempts in total or for a given time period;
  • logging of successful and unsuccessful log-on attempts;
  • limits on the maximum and minimum time for a log-on attempt; and
  • on successful log-on, display date/time of last successful log-on and any unsuccessful attempts;

Authorities: ISO-27002:2005 11.5.1.

User identification and authentication • All data system users should have a unique identifier ("user-ID") for their personal use only.  A suitable authentication technique -- knowledge-, token- and/or biometric-based -- should be chosen to authenticate the user.  Control includes:

  • shared user-IDs are employed only in exceptional circumstances, where there is a clear justification;
  • generic user-IDs (e.g., "guest") are employed only where no individual-user audit is required and limited access privileges otherwise justify the practice;
  • strength of the identification and authentication method (e.g., use of multiple authentication factors) are suitable to the sensitivity of the information being accessed;  and
  • regular user activities are not performed from privileged accounts.

Authorities: ISO-27002:2005 11.5.2.

Password management system • Systems for managing passwords should ensure the quality of this authentication method.  Control includes:

  • log-on methods enforce use of individual user-IDs and associated passwords;
  • set/change password methods enforce choice of strong passwords;
  • force change of temporary password on first log-on;
  • enforce password change thereafter at reasonable intervals;
  • store passwords separately from application data; and
  • store and transmit passwords in encrypted form only.

Authorities: ISO-27002:2005 11.5.3.

Access token management system • Systems for managing access tokens should ensure the quality of this authentication method. 

Authorities: ISO-27002:2005 11.5.3. (adapted)

Use of system utilities • Use of system utilities that are capable of overriding other controls should be restricted, and appropriately monitored (e.g., by special event logging processes).

Authorities: ISO-27002:2005 11.5.4.

Session time-out  • Interactive sessions should shut down and "lock out" the user after a defined period of inactivity.   Resumption of the interactive session should require re-authentication.  Control includes:

  • time-out periods that reflect risks associated with type of user, setting of use and sensitivity of the applications and data being accessed;
  • waiver or relaxation of time-out requirement when it is incompatible with a business process, provided other steps are taken to reduce vulnerabilities (e.g., removal of sensitive data, removal of network connection capabilities).

Authorities: ISO-27002:2005 11.5.5.; PCI-DSS:2005 8.5.15.; HIPAA 164.312(a)(2)(iii); JCAHO-IM.2.20.

Notes: PCI-DSS specifies 15-minute timeout.

Limitation of connection time • Restrictions on connection times should be used to provide additional security for high-risk applications or remote communications capabilities.  Control includes:

  • restricting connection time (e.g., to normal office hours);
  • restricting connection locations (e.g., to IP address ranges); and
  • requiring re-authentication at timed intervals.

Authorities: ISO-27002:2005 11.5.6.

Application and information access control

This category aims to prevent unauthorized access to information held in application systems.   

Information access restriction • Access to information and application system functions by users and support personnel should be restricted in accordance with a defined access control policy that is consistent with the organizational access policy.

Authorities: ISO-27002:2005 11.6.1. and 11.1.1.

Sensitive system isolation • Sensitive systems should have a dedicated (isolated) computing environment.  Control includes:

  • explicit identification and documentation of sensitivity by each system/application controller; and
  • explicit identification and acceptance of risks when a shared facilities and/or resources must be used.

Authorities: ISO-27002:2005 11.6.2.

Mobile computing and teleworking

This category aims to ensure information security when using mobile computing and teleworking facilities. 

Controls should be implemented that are commensurate with the:

  • type of user(s);
  • setting(s) of mobile/teleworking use; and
  • sensitivity of the applications and data being accessed from mobile/teleworking settings. 

Mobile computing and communications • A formal policy should be implemented, and appropriate security measures adopted, for mobile computing and communications activities.  Controls should apply to laptop, notebook, and palmtop computers; mobile phones and "smart" phone-PDAs; and portable storage devices and media.  Controls include requirements for:

  • physical protection;
  • data storage minimization;
  • access controls;
  • cryptographic techniques;
  • data backups;
  • anti-virus and other protective software;
  • operating system and other software updating;
  • secure communication (e.g., VPN) for remote access; and
  • sanitization prior to transer or disposal.

Authorities: ISO-27002:2005 11.7.1.; HIPAA 164.410(b-c); HIPAA 164.310(d)(1)

Teleworking • A formal policy should be implemented, and appropriate security measures adopted, for "teleworking" activities in off-premises locations.  Control includes:

  • physical security measures at the off-premises site;
  • appropriate access controls, given reasonably anticipated threats from other users at the site (e.g., family members);
  • cryptographic techniques for data storage at and communications to/from the site;
  • data backup processes and security measures for those backup copies;
  • security measures for wired and wireless network configurations at the site;
  • policies regarding intellectual property used or created at the site, including software licensing;
  • policies regarding organizational property used at the site (e.g., organizations' computing hardware);
  • policies regarding private property used at the site (e.g., teleworkers' computing hardware); and
  • insurance coverage or other specification of financial responsibility for equipment repair or replacement.

Authorities: ISO-27002:2005 11.7.2.; HIPAA 164.410(a)(1); HIPAA 164.410(b-c); HIPAA 164.310(d)(1)

See also:

Last modified: 24-Jul-2006 [RC]

  
 

   © 2002-2006 Contributing authors and University of Miami School of Medicine