5 KiB
5.18 Access rights
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
Control Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
Purpose To ensure access to information and other associated assets is defined and authorized according to the business requirements.
Guidance
Provision and revocation of access rights The provisioning process for assigning or revoking physical and logical access rights granted to an entity’s authenticated identity should include:
a) obtaining authorization from the owner of the information and other associated assets for the use of the information and other associated assets (see 5.9). Separate approval for access rights by management can also be appropriate;
b) considering the business requirements and the organization’s topic-specific policy and rules on access control;
c) considering segregation of duties, including segregating the roles of approval and implementation of the access rights and separation of conflicting roles;
d) ensuring access rights are removed when someone does not need to access the information and other associated assets, in particular ensuring access rights of users who have left the organization are removed in a timely fashion;
e) considering giving temporary access rights for a limited time period and revoking them at the expiration date, in particular for temporary personnel or temporary access required by personnel;
f) verifying that the level of access granted is in accordance with the topic-specific policies on access control (see 5.15) and is consistent with other information security requirements such as segregation of duties (see 5.3);
g) ensuring that access rights are activated (e.g. by service providers) only after authorization procedures are successfully completed;
h) maintaining a central record of access rights granted to a user identifier (ID, logical or physical) to access information and other associated assets;
i) modifying access rights of users who have changed roles or jobs;
j) removing or adjusting physical and logical access rights, which can be done by removal, revocation or replacement of keys, authentication information, identification cards or subscriptions;
k) maintaining a record of changes to users’ logical and physical access rights.
Review of access rights Regular reviews of physical and logical access rights should consider the following:
a) users’ access rights after any change within the same organization (e.g. job change, promotion, demotion) or termination of employment (see 6.1to 6.5);
b) authorizations for privileged access rights.
Consideration before change or termination of employment A user’s access rights to information and other associated assets should be reviewed and adjusted or removed before any change or termination of employment based on the evaluation of risk factors such as:
a) whether the termination or change is initiated by the user or by management and the reason for termination;
b) the current responsibilities of the user;
c) the value of the assets currently accessible.
Other information Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights.
Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel (see 5.20, 6.2, 6.4, 6.6).
In cases of management-initiated termination, disgruntled personnel or external party users can deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they can be tempted to collect information for future use.
Cloning is an efficient way for organizations to assign access to users. However, it should be done with care based on distinct roles identified by the organization rather than just cloning an identity with all associated access rights. Cloning has an inherent risk of resulting in excessive access rights to information and other associated assets.