Security – ISMS – Access Control

Access Control

Requirements

Access control concerns how access to information and systems are managed, distinct from the policies on who has access. (see earlier topic on Information Management).

Access to information and application system functions should be controlled so only authorised personnel have the ability to use these. The type of access control will vary depending on a range of factors usually influenced by the sensitivity of information.

Policies should be defined for each of the following:

• how access to Systems and Applications is controlled
• the use of credentials such as user identification and passwords
• standards for the use of passwords and other access tokens
• the display of System Control Notices
• using Secure Zones to further restrict information access
• managing access to different Networks and Network Services
• the use and control of Administration Accounts

Policy Explanation

These policies and guidelines are designed to ensure that measures are in place to limit access to those that need it. This includes information stored in a range of areas. Including: applications, storage devices and facilities, systems and networks that make up the company technology environment.
The standard method used to restrict access involves identification and passwords and sometimes additional authentication factors. This involves a range of measures that can include the following:

• secure login procedures
• enforcement of complex passwords
• use of multi-factor authentication
• controls on the display of credentials
• controls on the storage of passwords

These measures are intended to prevent the accidental or unauthorised access to information. This is done by managing access for anyone that may legitimately use the applications and systems. However, the measures should also restrict access to those that are not permitted access to information. In other words, to manage access for those users that are permitted and prevent access by those that are not.

Password usage can often be supplemented by controls on different levels of access, based on the user profile. Role based access control will limit access to information and system functions to particular employee profiles within an organisation. The ‘need to know’ principle. This type of access control is usually managed within the applications themselves in conjunction with more commonly used credential management.

This method can use of a matrix of job/role type. It may also include user departments, groupings of classifications and information sensitivity to segment application functions and menus. The matrix will match information needs to the appropriate level of access for an individual.

Access to Sensitive Information

Sensitive information may come with additional conditions of use from the providers of that data. This may be influenced by government authorities, payment card providers, etc. In addition to user credentials and profiles, you may need to build access controls that restrict where information is accessed. For organisations that store sensitive information, zones of operation may need to be defined to separate users with different access. Access to some information and systems may be permitted only in segregated segments of the network. Or even in special secure zones of the physical office space.

Safeguarding Elevated Privileges

As well as access control for ‘regular’ system users, different access control measures are necessary to manage the elevated privileges for system administrators. This typically involves network administrators and system managers. Stronger access control is required to provide additional restrictions on features involving access to configuration and system management areas. These are usually the privileges that are targeted by attackers seeking to gain access to company technology.