Authentication and access control

Objective • Authentication and access control measures should ensure appropriate access to information and information processing facilities – including mainframes, servers, desktop and laptop clients, mobile devices, applications, operating systems and network services – and prevent inappropriate access to such resources.

Access control policy • An access control policy should be established, documented and periodically reviewed, based on business needs and external requirements.  Access control policy and associated controls could take account of:

  • security issues for particular data systems and information processing facilities, given business needs, anticipated threats and vulnerabilities;
  • security issues for particular types of data, given business needs, anticipated threats and vulnerabilities;
  • relevant legislative, regulatory and certificatory requirements;
  • relevant contractual obligations or service level agreements;
  • other organizational policies for information access, use and disclosure; and
  • consistency among such policies across systems and networks.

Access control policy content • Access control policies generally should include:

  • clearly stated rules and rights based on user profiles;
  • consistent management of access rights across a distributed/networked environment;
  • an appropriate mix of administrative, technical and physical access controls;
  • administrative segregation of access control roles -- e.g., access request, access authorization, access administration;
  • requirements for formal authorization of access requests ("provisioning"); and
  • requirements for authorization and timely removal of access rights ("de-provisioning"). 

User access management policy • Policies should include a focus on ensuring authorized user access, and preventing unauthorized user access, to information and information systems.  This could include:

  • formal procedures to control the allocation of access rights;
  • procedures covering all stages in the life-cycle of user access, from provisioning to de-provisioning; and
  • special attention to control of privileged ("super-user") access rights.

User registration • Formal user registration and de-registration procedures should be implemented, for granting and revoking access to all information systems and services.  In addition to assignment of unique user-IDs to each user, this could include:

  • documentation of approval from the information system owner for each user's access;
  • confirmation by a reviewing party (supervisor or other personnel) that each user's access is consistent with business purposes and with other security controls (e.g., segregation of duties);
  • giving each user a written statement of their access rights and responsibilities;
  • requiring users to sign statements indicating they understand the conditions of access (see also Terms and conditions of employment and Confidentiality agreements);
  • ensuring access is not granted until all authorization procedures are completed;
  • maintaining a current record of all users authorized to use a particular system or service;
  • immediately changing/eliminating access rights for users who have changed roles or left the organization; and
  • checking for and removing redundant or apparently unused user-IDs.

Privilege management • Allocation and use of access privileges should be restricted and controlled.  This could include:

  • development of privilege profiles for each system, based on intersection of user profiles and system resources;
  • granting of privileges based on these standard profiles when possible;
  • a formal authorization process for all privileges, with additional review requirements for exceptions to standard profiles; and
  • maintaining a current record of privileges granted.

User password management • Allocation of passwords should be controlled through a formal management process.  This could include:

  • requiring users to sign a statement indicating they will keep their individual passwords confidential and, if applicable, keep any group passwords confidential solely within the group;
  • secure methods for creating and distributing temporary, initial-use passwords;
  • forcing users to change any temporary, initial-use password;
  • forcing users to periodically change passwords, and to use strong passwords at each change;
  • development of procedures to verify a user's identity prior to providing a replacement password ("password reset");
  • prohibiting "loaning" of passwords; 
  • prohibiting storage of passwords on computer systems in unprotected form; and
  • prohibiting use of default vendor passwords, where applicable.

User access token management • Allocation of access tokens, such as key-cards, should be controlled through a formal management process.  This could include:

  • requiring users to sign a statement indicating they will keep their access tokens secure;
  • secure methods for creating and distributing tokens;
  • use of two-factor tokens (token plus PIN) where appropriate and technically feasible;
  • development of procedures to verify a user's identity prior to providing a replacement token; and
  • prohibiting "loaning" of tokens.

Review of user access rights • Each user's access rights should be periodically reviewed using a formal process.  This could include:

  • review at regular intervals, and after any status change (promotion, demotion, transfer, termination); and
  • more frequent review of privileged ("super user") access rights.

Policy on use of network services • Users should be provided with access only to the network services that they have been specifically authorized to use.  This could include:

  • authorization procedures for determining who is allowed to access to which networks and network services, consistent with other access rights; and
  • policies on deployment of technical controls to limit network connections.

User authentication for remote connections • Where appropriate and technically feasible, authentication methods should be used to control remote access to the network.

Equipment/location identification in networks • Where appropriate and technically feasible, access to the network should be limited to identified devices or locations.

Remote diagnostic and configuration port protection • Physical and logical access to diagnostic and configuration ports should be appropriately controlled.  This could include:

  • physical and technical security for diagnostic and configuration ports; and
  • disabling/removing ports, services and similar facilities which are not required for business functionality. 

Segregation in networks • Where appropriate and technically feasible, groups of information users and services should be segregated on networks.  This could include:

  • separation into logical domains, each protected by a defined security perimeter; and
  • secure gateways between/among logical domains.

Network connection control • Capabilities of users to connect to the network should be appropriately restricted, consistent with access control policies and applications requirements.  This could include:

  • filtering by connection type (e.g., messaging, email, file transfer, interactive access, applications access); and
  • additional authentication and access control measures as appropriate.

Network routing control • Routing controls should be implemented to ensure that computer connections and information flows do not breach the access control policies of/for applications on the network.  This could include:

  • positive source and destination address checking; and
  • routing limitations based on the access control policy.

Control of use of systems • Controls should be implemented to restrict operating system access to authorized users, by requiring authentication of authorized users in accordance with the defined access control policy.  This could include:

  • providing mechanisms for authentication by knowledge-, token- and/or biometric-factor methods as appropriate;
  • recording successful and failed system authentication attempts;
  • recording the use of special system privileges; and
  • issuing alarms when access security controls are breached.

Secure log-on procedures • Access to systems should be controlled by secure log-on procedures.  This could include:

  • display of a general notice warning about authorized and unauthorized use;
  • no display of system or application identifiers until successful log-on;
  • no display of help messages prior to successful log-on that could aid an unauthorized user;
  • validation or rejection of log-on only on completion of all input data (e.g., both user-ID and password);
  • no display of passwords as entered (e.g., hide with symbols);
  • no transmission of passwords in clear text;
  • limits on the number of unsuccessful log-on attempts in total or for a given time period;
  • limits on the maximum and minimum time for a log-on attempt;
  • logging of successful and unsuccessful log-on attempts; and
  • on successful log-on, display date/time of last successful log-on and any unsuccessful attempts.

User identification and authentication • All system users should have a unique identifier ("user-ID") for their personal use only.  A suitable authentication technique – knowledge-, token- and/or biometric-based – should be chosen to authenticate the user.  This could include:

  • shared user-IDs are employed only in exceptional circumstances, where there is a clear justification;
  • generic user-IDs (e.g., "guest") are employed only where no individual-user-level audit is required and limited access privileges otherwise justify the practice;
  • strength of the identification and authentication methods (e.g., use of multiple authentication factors) are suitable to the sensitivity of the information being accessed;  and
  • regular user activities are not performed from privileged accounts.

Password management system • Systems for managing passwords should ensure the quality of this authentication method.  This could include:

  • log-on methods enforce use of individual user-IDs and associated passwords;
  • set/change password methods enforce choice of strong passwords;
  • force change of temporary password on first log-on;
  • enforce password change thereafter at reasonable intervals;
  • store passwords separately from application data; and
  • store and transmit passwords in encrypted form only.

Access token management system • Systems for managing access tokens should ensure the quality of this authentication method.

Biometric access management system • Systems for managing access via biometrics should ensure the quality of this authentication method.

Use of system utilities that override controls • Use of system utilities that are capable of overriding other controls should be restricted, and appropriately monitored whenever used (e.g., by special event logging processes).

Session time-out • Interactive sessions should shut down and “lock out” the user after a defined period of inactivity.   Resumption of the interactive session should require re-authentication.  This could include:

  • time-out periods that reflect risks associated with type of user, setting of use and sensitivity of the applications and data being accessed;
  • waiver or relaxation of time-out requirement when it is incompatible with a business process, provided other steps are taken to reduce vulnerabilities (e.g., increased physical security, reduction in access privileges, removal of sensitive data, removal of network connection capabilities).

Limitation of connection time and location • Restrictions on connection times should be used to provide additional security for high-risk applications or remote communications capabilities.  This could include:

  • requiring re-authentication at timed intervals;
  • restricting overall connection duration or connection time period (e.g., normal office hours); and 
  • restricting connection locations (e.g., to IP address ranges).

Information access restriction • Access to information and application system functions should be restricted in accordance with a defined access control policy that is consistent with the overall organizational access policy.  This could include any of the controls listed herein.

Sensitive system isolation • Sensitive systems should have a dedicated (isolated) computing environment.  This could include:

  • explicit identification and documentation of sensitivity by each system/application controller (owner);
  • construction of appropriately isolated environments where technically and operationally feasible; and
  • explicit identification and acceptance of risks when shared facilities and/or resources must be used.

SOURCES: ISO/IEC 27001/27002:2005 sects. 11.1 – 11.6