DS05 Security Access Management

DS05: Security Access Management

Description

Controls

KGI

KPI

CSF

Maturity Levels

1. Description

Ensure that access to the systems, data and programmes is restricted to authorized users.

2. Control Objectives

Manage Security Measures - Technology security should be managed such that security measures are in line with business requirements. This includes:
- translating risk assessment information to information technology security plans,
- implementing of the information technology security plan,
- updating the information technology security plan to reflect changes in the information technology configuration,
- assessing the impact of change requests on information technology security,
- monitoring the implementation of the information technology security plan,
- aligning information technology security procedures to other policies and procedures.
Identification, Authentication and Access : The logical access to and use of the information services function’s computing resources should be restricted by the implementation of an adequate authentication mechanism of identified users and resources associated with access rules. Such mechanisms should prevent unauthorised personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes),
Security Of Online Access To Data - implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change or delete data,
User Account Management - ensuring timely action relating to requesting, establishing, issuing, suspending and closing of user accounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included.
Management Review of User Account - periodically review and confirm access rights,
Client Control of Accounts - systematically control the activity of User account(s). Also information mechanisms should be in place to allow Clients to oversee normal activity as well as to be alerted to unusual activity in a timely manner.
Security Surveillance - ensure that security activity is logged and any indication of imminent security violation is notified immediately to the administrator and is acted upon automatically,
Data Classification - classify data in terms of sensitivity by a formal and explicit decision by the data owner according to the data classification scheme. Even data needing “no protection” should require a formal decision to be so designated,
Central Identification and Access Rights Management - ensure that the identification and access rights of clients as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of global access control,
Violation and Security Activity Reports - assure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege, or need-to-know.
Incident Handling - establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and orderly response to security incidents,
Re-accreditation - formally approved security levels and acceptance of residual risk
Counterparty Trust - ensure that control practices are implemented to verify the authenticity of the counterparty providing electronic instructions or transactions. This can be implemented through trusted exchange of passwords, tokens or cryptographic keys,
Transaction Authorization - ensure that where appropriate, controls are implemented to provide authenticity of transactions. This requires use of cryptographic techniques for signing and verifying transactions,
Non-Repudiation - ensure that, where appropriate, transactions cannot be denied by either party, and controls are implemented to provide non-repudiation of origin or receipt, proof of submission, and receipt of transactions. This can be implemented through digital signatures, time stamping and trusted third-parties,
Trusted Path - ensure that sensitive transaction data is only exchanged over a trusted path. Sensitive information includes security management information, sensitive transaction data, passwords and cryptographic keys. To achieve this, trusted channels may need to be established using encryption between users, between users and systems, and between systems,
Protection of Security Functions - all security related hardware and software should at all times be protected against tampering to maintain their integrity and against disclosure of secret keys. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret,
Cryptographic Key Management - define and implement procedures and protocols to be used for generation, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure. If a key is compromised, management should ensure this information is propagated to any interested party through the use of Certificate Revocation Lists or similar mechanisms.
Malicious Software Prevention, Detection and Correction - regarding malicious software, such as computer viruses or trojan horses, management should establish a framework of adequate preventative, detective and corrective control measures,
Firewall Architectures and Connections with Public Networks - ensure adequate firewalls are operative to protect against denial of services and any unauthorised access to the internal resources; should control any application and infrastructure management flows in both directions; and should protect against denial of service attacks,
Protection of Electronic Value - protect the continued integrity of all cards or similar physical appliances used for authentication or storage of financial or other sensitive information, taking into consideration the related facilities, devices, employees and validation methods used.

3. Key Goal Indicators

No incidents causing public embarrassment
Immediate reporting on critical incidents
Alignment of access rights with organisational responsibilities
Reduced number of new implementations delayed by security concerns
Full compliance, or agreed and recorded deviations from minimum security requirements
Reduced number of incidents involving unauthorised access, loss or corruption of information

4. Key Performance Indicators

Reduced number of security-related service calls, change requests and fixes
Amount of downtime caused by security incidents
Reduced turnaround time for security administration requests
Number of systems subject to an intrusion detection process
Number of systems with active monitoring capabilities
Reduced time to investigate security incidents
Time lag between detection, reporting and acting upon security incidents
Number of IT security awareness training days

5. Critical Success Factors

An overall security plan is developed that covers the building of awareness, establishes clear policies and standards, identifies a cost-effective and sustainable implementation, and defines monitoring and enforcement processes
There is awareness that a good security plan takes time to evolve
The corporate security function reports to senior management and is responsible for executing the security plan
Management and staff have a common understanding of security requirements, vulnerabilities and threats, and they understand and accept their own security responsibilities
Third-party evaluation of security policy and architecture is conducted periodically
A “building permit” programme is defined, identifying security baselines that have to be adhered to
A “drivers licence” programme is in place for those developing, implementing and using systems, enforcing security certification of staff
The security function has the means and ability to detect, record, analyse significance, report and act upon security incidents when they do occur, while minimising the probability of occurrence by applying intrusion testing and active monitoring
A centralised user management process and system provides the means to identify and assign authorisations to users in a standard and efficient manner
A process is in place to authenticate users at reasonable cost, light to implement and easy to use

6. Service Maturity Variations

0 Non-existent	The organisation does not recognise the need for IT security. Responsibilities and accountabilities are not assigned for ensuring security. Measures supporting the management of IT security are not implemented. There is no IT security reporting and no response process to IT security breaches. There is a complete lack of a recognisable system security administration process.
1 (Initial/Ad Hoc)	The organisation recognises the need for IT security, but security awareness depends on the individual. IT security is addressed on a reactive basis and not measured. IT security breaches invoke “finger pointing” responses if detected, because responsibilities are unclear. Responses to IT security breaches are unpredictable.
2 (Repeatable but Intuitive)	RResponsibilities and accountabilities for IT security are assigned to an IT security co-ordinator with no management authority. Security awareness is fragmented and limited. IT security information is generated, but is not analysed. Security solutions tend to respond reactively to IT security incidents and by adopting third-party offerings, without addressing the specific needs of the organisation. Security policies are being developed, but inadequate skills and tools are still being used. IT security reporting is incomplete, misleading or not pertinent.
3 (Defined Process)	Security awareness exists and is promoted by management. Security awareness briefings have been standardised and formalised. IT security procedures are defined and fit into a structure for security policies and procedures. Responsibilities for IT security are assigned, but not consistently enforced. An IT security plan exists, driving risk analysis and security solutions. IT security reporting is IT focused, rather than business focused. Ad hoc intrusion testing is performed.
4 (Managed and Measurable)	Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and practices are completed with specific security baselines. Security awareness briefings have become mandatory. User identification, authentication and authorisation are being standardised. Security certification of staff is being established. Intrusion testing is a standard and formalised process leading to improvements. Cost/benefit analysis, supporting the implementation of security measures, is increasingly being utilised. IT security processes are coordinated with the overall organisation security function. IT security reporting is linked to business objectives.
5 Optimized	IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimised and included in a verified security plan. Security functions are integrated with applications at the design stage and end users are increasingly accountable for managing security. IT security reporting provides early warning of changing and emerging risk, using automated active monitoring approaches for critical systems. Incidents are promptly addressed with formalised incident response procedures supported by automated tools. Periodic security assessments evaluate the effectiveness of implementation of the security plan. Information on new threats and vulnerabilities is systematically collected and analysed, and adequate mitigating controls are promptly communicated and implemented. Intrusion testing, root cause analysis of security incidents and pro-active identification of risk is the basis for continuous improvements. Security processes and technologies are integrated organisation wide.