An access control policy should be established, documented and periodically reviewed, based on business needs and external requirements.
Access control policy and associated controls should take account of: – Security issues for particular data systems and information processing facilities, given business needs, anticipated threats and vulnerabilities; – Security issues for particular types of data, given business needs, anticipated threats and vulnerabilities; – Relevant legislative, regulatory and certification requirements; – Relevant contractual obligations or service level agreements; – Other organizational leslies for information access, use and disclosure; and – Consistency among such policies across systems and networks.
Access control policies generally should include: – Clearly stated rules and rights based on user profiles; – Consistent management of access rights across a distributed/networked environment; – An appropriate mix of administrative, technical and physical access controls; – Administrative segregation of access control roles e. G. , access request, access authorization, access administration; – Requirements for formal authorization of access requests Requirements for authorization and timely removal of access rights (“De- provisioning”).
The following procedure guide would allow Ken 7 Windows Limited IT department to easily manage their access control changes: Policy Ken 7 Windows Limited has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Access Control standards that constitute Ken 7 Windows Limited policy. Each Ken 7 Windows Limited Business System is then bound to this policy, and must develop r adhere to a program plan which demonstrates compliance with the policy related the standards documented.
Access Control Procedures: All Ken 7 Windows Limited Business Systems must develop, adopt or adhere to a formal, documented access control procedure that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Account Management: All Ken 7 Windows Limited Business Systems must: – Identify account types (i. E. , individual, group, system, application, guest/ anonymous, and temporary). – Establish conditions for group membership.
Identify authorized Users of the information asset and specifying access privileges. – Require appropriate approvals for requests to establish accounts. – Establish, activate, modify, disable, and remove accounts. – Specifically authorize and monitor the use of guest/anonymous and temporary accounts. – Notify account managers when temporary accounts are no longer required and when information asset users are terminated transferred, or information assets usage or need-to-know/need-to-share changes. Deactivate temporary accounts that are no longer required and accounts of terminated or transferred users. Grant access to the system based on (1) valid access authorization, (2) intended system usage, and (3) other attributes as required by the organization or associated missions/business functions. – Review accounts on a periodic basis or at least annually. Access Enforcement: All Ken 7 Windows Limited Business Systems must enforce approved authorizations for logical access to the system in accordance with applicable policy.
Information Flow Enforcement: All Ken 7 Windows Limited Business Systems must enforce approved authorizations for controlling the flow of information thin the system and between interconnected systems in accordance with Separation of Duties: All Ken 7 Windows Limited Business Systems must: – Separates duties of individuals as necessary, to prevent malevolent activity without collusion. – Document separation of duties. – Implements separation of duties through assigned information asset access authorizations.
Least Privilege: All Ken 7 Windows Limited Business Systems must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned asks in accordance with organizational missions and business functions. System Use Notification: All Ken 7 Windows Limited Business Systems must: Display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with regulations, standards, and policies. Retain the notification message or banner on the screen until users take explicit actions to log on to or further access the information asset. Concurrent Session Control: All Ken 7 Windows Limited Business Systems must omit the number of concurrent sessions for each system account to ten for information assets. Session Lock: All Ken 7 Windows Limited Business Systems must prevent further access to the information asset by initiating a session lock after 120 minutes of inactivity or upon receiving a request from a user.
In addition, Ken 7 Windows Limited Business Systems must retain the session lock until the user reestablishes access using established identification and authentication procedures. Permitted Actions without Identification or Authentication: All Ken 7 Windows Limited Business Systems must identify specific user actions that can be reformed on the information asset without identification or authentication. In addition, Ken 7 Windows Limited Business Systems must document and provide supporting rationale in the security plan for the information asset, user actions not requiring identification and authentication.
Remote Access: All Ken 7 Windows Limited Business Systems must: – Document allowed methods of remote access to the information assets. – Establish usage restrictions and implementation guidance for each allowed remote access method. – Monitor for unauthorized remote access to the information asset. Authorize remote access to the information asset prior to connection. – Enforce requirements for remote connections to the information asset. Wireless Access: All Ken 7 Windows Limited Business Systems must: – Establish usage restrictions and implementation guidance wireless access. Monitor for unauthorized wireless access to the information asset. – Authorize wireless access to the information asset prior to connection. – Enforce requirements for wireless connections for the information asset. Access Control for Mobile Devices: All Ken 7 Windows Limited Business Systems must: – Establish usage restrictions and implementation guidance for organization-controlled mobile devices. – Authorize connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information assets. Monitor for unauthorized connections of mobile devices to organizational information assets. – Enforce requirements for the connection of mobile devices to organizational information assets. Disable information asset functionality that provides the capability for automatic execution of code on mobile devices without user direction. – Issue specially infringed mobile devices to individuals traveling to locations (international locations which are considered sensitive by the Department of State) that the organization deems to be of significant risk in accordance with organizational policies and procedures.
Use of External Information Systems: All Ken 7 Windows Limited Business Systems must establish terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information assets, allowing authorized individuals to: Access the information asset from the external information systems. Process, store, and/or transmit organization-controlled information using the external information systems.
