6.3 KiB
#iso27002/2022/EN
5.15 Access control
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
Control Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.
Purpose To ensure authorized access and to prevent unauthorized access to information and other associated assets.
Guidance Owners of information and other associated assets should determine information security and business requirements related to access control. A topic-specific policy on access control should be defined which takes account of these requirements and should be communicated to all relevant interested parties.
These requirements and the topic-specific policy should consider the following:
a) determining which entities require which type of access to the information and other associated assets;
b) security of applications (see 8.26);
c) physical access, which needs to be supported by appropriate physical entry controls (see 7.2, 7.3, 7.4);
d) information dissemination and authorization (e.g. the need-to-know principle) and information security levels and classification of information (see 5.10, 5.12, 5.13);
e) restrictions to privileged access (see 8.2);
f) segregation of duties (see 5.3);
g) relevant legislation, regulations and any contractual obligations regarding limitation of access to data or services (see 5.31, 5.32, 5.33, 5.34, 8.3);
h) segregation of access control functions (e.g. access request, access authorization, access administration);
i) formal authorization of access requests (see 5.16, 5.18);
j) the management of access rights (see 5.18);
k) logging (see 8.15).
Access control rules should be implemented by defining and mapping appropriate access rights and restrictions to the relevant entities (see 5.16). An entity can represent a human user as well as a technical or logical item (e.g. a machine, device or a service). To simplify the access control management, specific roles can be assigned to entity groups.
The following should be taken into account when defining and implementing access control rules:
a) consistency between the access rights and information classification;
b) consistency between the access rights and the physical perimeter security needs and requirements;
c) considering all types of available connections in distributed environments so entities are only provided with access to information and other associated assets, including networks and network services, that they are authorized to use;
d) considering how elements or factors relevant to dynamic access control can be reflected.
Other information
There are often overarching principles used in the context of access control. Two of the most frequently used principles are:
a) need-to-know: an entity is only granted access to the information which that entity requires in order to perform its tasks (different tasks or roles mean different need-to-know information and hence different access profiles);
b) need-to-use: an entity is only assigned access to information technology infrastructure where a clear need is present.
Care should be taken when specifying access control rules to consider:
a) establishing rules based on the premise of least privilege, “Everything is generally forbidden unless expressly permitted”, rather than the weaker rule, “Everything is generally permitted unless expressly forbidden”;
b) changes in information labels (see 5.13) that are initiated automatically by information processing facilities and those initiated at the discretion of a user;
c) changes in user permissions that are initiated automatically by the information system and those initiated by an administrator;
d) when to define and regularly review the approval.
Access control rules should be supported by documented procedures (see 5.16, 5.17, 5.18, 8.2, 8.3, 8.4, 8.5, 8.18) and defined responsibilities (see 5.2, 5.17).
There are several ways to implement access control, such as MAC (mandatory access control), DAC (discretionary access control), RBAC (role-based access control) and ABAC (attribute-based access control).
Access control rules can also contain dynamic elements (e.g. a function that evaluates past accesses or specific environment values). Access control rules can be implemented in different granularity, ranging from covering whole networks or systems to specific data fields and can also consider properties such as user location or the type of network connection that is used for access. These principles and how granular access control is defined can have a significant cost impact. Stronger rules and more granularity typically lead to higher cost. Business requirements and risk considerations should be used to define which access control rules are applied and which granularity is required.