This blog will focus on the identity and user access controls and how to manage giving staff and other parties access to information and systems that they need in order to do their jobs. This also covers authentication, and management of identities for the systems which hold and process the data.
A.5.15 Access control
The objective of this clause is to establish and implement systems to limit access to information and information processing facilities.
This clause requires an access control policy to be created and controls to be put in place to protect assets.
Access control should consider which entities require access to information and associated assets. When considering which entities require access, you need to think about computers, or other physical assets as well as users. Also think about the types of access that entities may require. Not all entities require full access to information. Some users will only require access to read the information.
When determining access controls, you should make use of the information classification which has already been determined as part of A.5.12 (covered in the previous blog post), and leverage to create consistent controls.
Access control is generally broken down into two main principles:
- Need-to-know – only grant access to those entities which need to use the information to perform their tasks.
- Need-to-use – access is only assigned to the infrastructure where a clear need is demonstrated.
Your access control policy should cover:
- Definition of Information security and what you are protecting against.
- How you will manage it, and have different levels of protection.
- Outline that specific requirements have been adopted for different systems and that access controls are in place to control who has rights to access and utilise information resources.
A.5.16 Identity management
This clause aims to ensure that your authorized users can access your system and services while, at the same time preventing unauthorized access.
Most businesses that we have seen have a system that covers the following activities:
- User registration and deregistration
- Access provisioning
- Access rights
- Control and management of secret authentication information (passwords and other MFA information)
- Review of access rights
- Removal of access when employees and contractors are terminated.
Ensure that your IT department or contractors work closely with the rest of your business to develop the detailed instructions for these areas so access requirements are consistent across different systems used within your business.
Depending on whether IT department owns and manages all systems within your ISMS, this can determine the amount of documentation and oversight that needs to be in place across different departments.
Where possible, a centralised source of truth should be considered, so accounts to systems can be managed based on staff roles and can be managed from a centralised source.
A.5.17 Authentication information
The objective of this sub-clause is to have systems in place to prevent the unauthorized access to your information systems and your applications. This includes making your users accountable for safeguarding their authentication information from being compromised.
Technically, this can be achieved by implementing a range of things like secure log-ons, password management and restricted access to your source code. Other aspects to consider include preventing auto-fill and saved passwords for any passwords on any browser.
Ensuring users have strong passwords and that they keep them confidential is also important. This includes both ensuring that you make use of automated tools within systems to enforce password complexity rules.
It is also important to educate your staff on keeping their authentication secure and best practices. This can be as simple as talking about cyber security and secure authentication at all-company meetings to keep it top of mind, or having formal training which they must complete periodically.
A.5.18 Access rights
The objective of this clause is to ensure that you’re the appropriate people and users have access to the appropriate information and systems containing it to be able to do their jobs while, at the same time prevent unauthorized access.
As part of the roles and responsibilities, and information management controls and registers implemented as part of the controls for A.5.2 and A.5.9 respectively, you should have a good idea of who needs access to which information, the assets and systems that store and process it and where the assets are kept.
Often, we see companies adopt “need to know” and “need to use” principles where staff who need to know information are granted access to systems to read or see the information. Those who need to use the information to enter it, or change the information are granted read and write access to the systems containing the information.
Also important to this clause is monitoring and reviewing access to systems to ensure that the people who need access have appropriate access.
Conclusion
In these controls we have covered the ways of ensuring that those who need access to information and systems within your business can have access to it, while protecting it by preventing unauthorised access. Limiting access to information and systems to only those who need access also makes it more difficult for hackers to navigate should they gain access to your system.
Identity and access are a difficult and vital process to get right. Spend the time to get the processes right, and consistent across your business.
- Read the previous post in the series: Safeguard Your Information and Assets: Implementing ISO 27001 Controls A.5.9 to A.5.14.
- Read the next post in the series: Fortifying the Supply Chain: A Guide to Controls A.5.19 - A.5.23
DQS Newsletter
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.