Maintain user accounts and access management for those users.

UCF ID: 00514

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain an identification, authentication, and access rights management plan. [UCF Control ID 00513]

This control has the following supporting controls:

Control the addition and modification of user IDs, credentials, or other identifier objects. [UCF Control ID 00515]

Revoke the access of terminated users immediately. [UCF Control ID 00516]

Remove inactive/temporary user accounts at least every 90 days. [UCF Control ID 00517]

Distribute the password policies and procedures to all users who have access to restricted data or information. [UCF Control ID 00518]

Configure passwords so that the use of group or shared passwords is prohibited. [UCF Control ID 00519]

Configure passwords so that users must change their passwords on a regular basis. [UCF Control ID 00520]

Configure passwords for a minimum password length. [UCF Control ID 00521]

Configure passwords so that they contain both numeric and alphabetic characters. [UCF Control ID 00522]

Ensure users cannot submit a new password that is the same as the previous few used. [UCF Control ID 00523]

Review access capabilities when a user's status changes. [UCF Control ID 00524]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.2.d; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.1.a, ¶ .17 § 3.1.c, ¶ .20 § 3.4.a, ¶ .20 § 3.4.c, ¶ .24 § 3.5.a, ¶ .24 § 3.5.c, ¶ .29 § 3.4.a, ¶ .29 § 3.4.c; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 4.5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40, Exam Tier II Obj 2.7; System Security Plan (SSP) Procedure, Version 1.0, App A § 4.1; FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1, § 11.10(g); Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(5)(ii)(C), § 164.308(a)(5)(ii)(D); Introductory Resource Guide for HIPAA NIST SP 800-66, § 4.17; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-00301 R5.1, CIP-00301 R5.1.1, CIP-00301 R5.3; American Express Data Security Standard (DSS), § 2b; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 54; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-15.e; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 15.1(B); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-609.a(3); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 295F.07; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.1, § 5.6.7, Exhibit 4 AC-2, Exhibit 4 AC-13, Exhibit 4 IA-4, Exhibit 8 Control 17, Exhibit 8 Control 18; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.5.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-2, App F § AC-2(1), App F § AC-2(4), App F § AC-2(5); CobiT, Version 4.1, DS5.4; The Standard of Good Practice for Information Security, SM4.4.4(c), SM4.4.4(d); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR1100), § 3.4, § 3.5.1 thru § 3.5.3, App B.2 Row “Admin Password”; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 3, § 5.5, § 6; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2100), § 3.4.5, App B.3 Row "Minimum Password Length", App B.3 Row “Password Delay/Inactivity Timer”, App B.3 Row "Password Expiration", App B.3 Row "Password Failure Action"; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 5 (WIR0450); ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 12.3, § G.3; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 11.2.1; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.11.2.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 11.2.1; OGC ITIL: Security Management, § 4.2; Australian Government ICT Security Manual (ACSI 33), § 2.7.38, § 3.6.21; Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.04(1); Guide to Bluetooth Security, NIST SP 800-121, September 2008, Table 4-2 Item 9, Table 4-2 Item 25; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-4 Item 37; Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, § 4.1.2, § 4.1.6; Center for Internet Security Mac OS X Tiger Level I Security Benchmark, Version 1.0 May 2008, § 2.7; Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition, Pg 23, Pg 24, Pg 42, Pg 43, Pg 45, Pg 65; DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11, § 3.2, § 5.7.1.7; DISA Windows XP Security Checklist, Version 6 Release 1.11, § 3.2; DISA Windows VISTA Security Checklist, Version 6 Release 1.11, § 3.1 (1.006); California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 4; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 2.2 (WIR3100), App B.1 Row “Require Password”, App B.1 Row “S/MIME Password Type”, App B.1 Row “Prevent Previously used Passwords”, App B.1 Row “Restrict Use of repeated characters”, § 2.2 (WIR3250), App B.1 Row “Disallow PIN after first time use”; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.2(1-4), ¶ 9.2 Table Row “User Access to Data, Services and Applications”

Banking and Finance Guidance

[Obj 4.5, FFIEC IT Examination Handbook – E-Banking, August 2003]

If a customer forgets his/her personal identification number (PIN), the customer should pick a new PIN instead of having the staff retrieve the old one. [Pg 40, Exam Tier II Obj 2.7, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

Calls for a description of user identification and authentication controls for the system, including mechanisms that provide the ability to verify users. This also involves the description of password management practices. [App A § 4.1, System Security Plan (SSP) Procedure, Version 1.0]

[§ 11.10(g), FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1]

[§ 164.308(a)(5)(ii)(C), § 164.308(a)(5)(ii)(D), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

[§ 4.17, Introductory Resource Guide for HIPAA NIST SP 800-66]

Energy Guidance

The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access.
The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. [CIP-00301 R5.1, CIP-00301 R5.1.1, CIP-00301 R5.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

The organization must set up administrative authority for resetting passwords, issuing temporary passwords and accessing payment data by restricting access to authorized employee groups and enabling the creation of audit trails. [§ 2b, American Express Data Security Standard (DSS)]

The login ID and the password used for the payment gateway system should not be the same. [Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

Passwords should be issued only to users who have the authorization to access the system or who require access to perform their duties. [§ 2-15.e, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization must implement and monitor the status of account management controls. [§ 15.1(B), Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

Entry to the system must only be granted in accordance with the profile settings for the authenticated user. [§ 8-609.a(3), NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[§ 295F.07, GAO/PCIE Financial Audit Manual (FAM)]

US Internal Revenue Guidance

The organization must establish, activate, change, review, disable, and remove user accounts. System accounts must be reviewed at least annually. User identifiers must be managed by verifying all users; receiving authorization prior to issuing an identifier; disabling identifiers; and archiving identifiers. Passwords must not contain dictionary words or easily guessable combinations of letters and numbers. Passwords must never be written down or communicated in any way to another user. [§ 5.6.1, § 5.6.7, Exhibit 4 AC-2, Exhibit 4 AC-13, Exhibit 4 IA-4, Exhibit 8 Control 17, Exhibit 8 Control 18, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.5.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

App F § AC-2 The organization must develop information system account management procedures that identifies account types, group membership, authorize users and access privilege, approval for account creation, account life cycle, guest and temporary accounts, deactivation and termination of accounts, system access criteria, and periodic account review.
App F § AC-2(1) The organization should employ automated mechanisms to manage system accounts.
App F § AC-2(4) The organization should automatically audits account creation, modification, disabling, and termination and notify appropriate individuals.
App F § AC-2(5) The organization should requires users to log out during inactivity, establish usage times and duration, monitor and report unusual usage. [App F § AC-2, App F § AC-2(1), App F § AC-2(4), App F § AC-2(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

PIN codes should be random and long. For Bluetooth v2.0 or earlier, an 8-character, alphanumeric PIN should be used. For sensitive connections, fixed PINs should not be used. Portable devices with Bluetooth should use passwords to prevent unauthorized access if the device is stolen or lost. [Table 4-2 Item 9, Table 4-2 Item 25, Guide to Bluetooth Security, NIST SP 800-121, September 2008]

The administrator password for access points should be strong and unique. [Table 8-4 Item 37, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

User authentication methods should be enabled on all cell phones and PDAs. The methods usually available on all devices are PINs and passwords. [§ 4.1.2, § 4.1.6, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

US State Laws and Protectorates Guidance

Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems. At a minimum, it must include secure user authentication protocols that control user IDs, that use a secure method for assigning and selecting passwords, that controls the passwords to ensure they are kept in a location and/or format that will prevent the compromise of the data, that restricts access to active accounts and users, and that blocks access after a certain number of unsuccessful attempts. [§ 17.04(1), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]

Where possible, use technological means to restrict internal access to specific categories of personal information. [Part I ¶ 4, California OPP Recommended Practices on Notification of Security Breach, May 2008]

System Configuration Guidance

Non-administrator accounts should be used for normal day-to-day operations. If additional privileges are needed, the user will be prompted to enter an administrative userid and password. By using a non-administrator account, the system is being protected by only allowing malware or system defects to affect areas the user has access to, not the entire system. [§ 2.7, Center for Internet Security Mac OS X Tiger Level I Security Benchmark, Version 1.0 May 2008]

Administrator accounts should be used for administration purposes only. For day-to-day use, standard user accounts should be used. A user should be required to enter both a username and password when authenticating his/herself. [Pg 23, Pg 24, Pg 42, Pg 43, Pg 45, Pg 65, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition]

System Administrator accounts should be used for administration purposes only. For day-to-day use, System Administrators should use standard user accounts. Members of the Backup Operators group should have unique accounts assigned for the purpose of backing up the system. They should have standard user accounts for daily use. [§ 3.2, § 5.7.1.7, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11]

System Administrators should be assigned standard user accounts for their daily non-administration tasks. Their System Administrator userIDs and passwords should be used only when they are performing administrative tasks. [§ 3.2, DISA Windows XP Security Checklist, Version 6 Release 1.11]

Each Administrator should have a separate standard account for his/her daily non-administrative tasks. [§ 3.1 (1.006), DISA Windows VISTA Security Checklist, Version 6 Release 1.11]

Other Configuration Guidance

§ 2.2 (WIR1100) Authenticated login procedures to unlock a wireless e-mail device. Either Common Access Card (CAC) or Personal Identification Number (PIN) authentication is required.
When PIN authentication is used, the following procedures will be enforced:
− The device password /PIN is set to five or more characters. The system security policy must be configured to enforce this policy. If five characters are used, both a letter (lower or upper case) and a number must be used in all device passwords (the wireless email server must be configured to enforce this policy). If six or more characters are used, only numbers may be used for the password. It is recommended that eight or more characters be used.
− The number of incorrect passwords entered before a device wipe occurs is set to 10 or less. The system security policy must be configured to enforce this policy.
− The password is changed at least every 90 days. The system security policy must be configured to enforce this policy.
§ 3.4 Setting Up Certificate Store Password
The Sensa Server Installation Guide provides information on setting up the certificate password during the installation of the Management Server and the Mail Server. This management server password is also the Sensa Management Server data store encryption password. Both of these passwords are used to start the respective servers.
During setup of the Sensa system the following tasks should be completed:
- The certificate passwords should be compliant and maintained IAW DoDI 8500.2 and current JTF-GNO directives.
Note: CAC authentication should be used for all administrative passwords, if this capability is available. When not available, CTO 06-02, 17 January 2006 requires the following for passwords:
- Passwords will be set to a minimum of 9 characters.
- Passwords will contain a mix of at least two lowercase letters, two uppercase
characters, two numbers, and two special characters.
In addition, JTF-GNO INFOCON 4 Alert Message, 16 November 2006, requires the following change during INFOCON Level 4:
- Passwords will be set to a minimum of 15 characters.
§ 3.5.1Sensa Service Accounts
The Sensa Server Installation Guide provides information on setting up a Sensa Service Account on the organization’s domain controller. During setup of the Sensa system, the following tasks should be completed:
- The service account password should be compliant and maintained IAW DoDI 8500.2 and current JTF-GNO directives. See Paragraph 3.4 for specific requirements.
§ 3.5.2 Sensa Admin Accounts
The Sensa System Administration Guide provides information on setting up Sensa Admin accounts. During setup of the Sensa system, the following tasks should be completed:
- When the local machine login account is generated during the Sensa Management Server installation (sensaAdmin), the password for this account should be compliant and maintained IAW DoDI 8500.2 and current JTF-GNO directives. See Paragraph 3.4 for specific requirements. The default name on the local machine account should be changed. The local machine account should only be used by the Sensa administrator to perform server upgrades, software installs, or critical Sensa maintenance functions.
- DoD Administrative Accounts should implement CAC authentication whenever possible. Apriva supports CAC authentication for the local machine login account.
- Define specific roles for each type of Admin user (launch SMS, under Administration, select Roles/Add, then select only specific functions needed for that role).
- Create individual administrative accounts for each Sensa Admin. (launch SMS, under Administration, select Administrative Users/Add:
o The password for this account should be compliant and maintained IAW DoDI 8500.2 and current JTF-GNO directives. See Paragraph 3.4 for specific requirements. To set up password rules for Admin accounts do the following: (launch SMS, under Administration, select Security Policies, select the Administrator policy, click Modify).
o Assign a role to each Admin account. Each account should be given the least permissions required for that job.
§ 3.5.3 Trust Digital Accounts
The Trust Digital Getting Started Guide provides information for setting up Admin Accounts for the Trust Digital components.
- Create a SQL database Admin Account during installation of the Trust Digital software. The password for this account should be compliant and maintained IAW DoDI 8500.2 and current JTF-GNO directives. See Paragraph 3.4 for specific requirements.
- After installation of the Trust Digital software, new administrative accounts should be set up for each system administrator. In addition, the default administrative account should be deleted. The password for each administrative account should be compliant and maintained IAW DoDI 8500.2 and current JTF-GNO directives. See Paragraph 3.4 for specific requirements.
NOTE: Trust Digital is expected to add CAC authentication to the Enterprise Console administrative accounts in a future release.
App B.2 Row “Admin Password”, located in Policy Manager/Password Settings, see Paragraph 3.4 of the checklist for password complexity requirements. [§ 2.2 (WIR1100), § 3.4, § 3.5.1 thru § 3.5.3, App B.2 Row “Admin Password”, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

All communications devices and devices that access the network remotely must be protected by passwords. Passwords must, at a minimum, be created and maintained in accordance with DoD Instruction 8500.2. All Administrator passwords used on remote devices and other communications devices must be recorded by the Information Assurance Officer and stored in a secure manner. [§ 3, § 5.5, § 6, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

§ 2.2 (WIR2100) The Information Assurance Officer (IAO) will ensure the wireless email device is protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. When Password authentication is used for wireless e-mail devices; the device password is set to five or more characters. The system security policy must be configured to enforce this policy. If five characters are used, both a letter (lower or upper case) and a number must be used in all device passwords (the wireless email server must be configured to enforce this policy). If six or more characters are used, only numbers may be used for the password. It is recommended that eight or more characters be used. The number of incorrect passwords entered before a device wipe occurs is set to 10 or less. The system security policy must be configured to enforce this policy. The password is changed at least every 90 days. The system security policy must be configured to enforce this policy.
§ 3.4.5 CAC authentication should be used for all Administrative passwords, If CAC authentication is not available, Passwords for all Administrative accounts will be 15 characters in length, if supported. Otherwise the password must be the maximum length supported. Passwords will contain a mix of lowercase letters, uppercase letters, numbers, and special characters. At least one of each must be used.
App B.3 Row "Minimum Password Length", located under Policy Manager/Power-on Password, should be set to 6 or more. Note: 6 – 8 is the same as DoD CAC PIN requirement. Configuration setting not used with CAC device unlock. NSA recommendation is 8 or more character password.
App B.3 Row “Password Delay/Inactivity Timer”, located under Policy Manager/Power-on Password, should select Enable with a mark in the check box for “Request Password After X Minute(s)”. Select 15 or less for time.
App B.3 Row "Password Expiration", located under Policy Manager/Power-on Password, should be set to 90 days. Note: Only available with non-CAC PIN/password logon. Configuration setting not used with CAC device unlock.
App B.3 Row "Password Failure Action", located under Policy Manager/Power-on Password, should select Enable with a mark in the check box. Enter 10 or less for value. Select "Wipe All Data". [§ 2.2 (WIR2100), § 3.4.5, App B.3 Row "Minimum Password Length", App B.3 Row “Password Delay/Inactivity Timer”, App B.3 Row "Password Expiration", App B.3 Row "Password Failure Action", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

PDAs and Smart phones should use either CAC or PIN authentication to unlock the device. If PIN authentication is used, the number of incorrect passwords before a device wipe occurs should be set to 10 or less; passwords should be changed at least once every 90 days; and the PIN should be set to 5 or more characters (8 or more is recommended). If 5 characters are used, the PIN should include a letter and number. If 6 or more characters are used, only numbers should be used.
Interview the Information Assurance Officer (IAO) and the Security Administrator to verify that PIN or CAC authentication is used, and if PIN authentication is used, verify it is configured correctly. [§ 5 (WIR0450), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

§ 2.2 (WIR3100) The Information Assurance Officer (IAO) will ensure the wireless email device is protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. When Password authentication is used for wireless e-mail devices; the device password is set to five or more characters. The system security policy must be configured to enforce this policy. If five characters are used, both a letter (lower or upper case) and a number must be used in all device passwords (the wireless email server must be configured to enforce this policy). If six or more characters are used, only numbers may be used for the password. It is recommended that eight or more characters be used. The number of incorrect passwords entered before a device wipe occurs is set to 10 or less. The system security policy must be configured to enforce this policy. The password is changed at least every 90 days. The system security policy must be configured to enforce this policy.
App B.1 Row “Require Password” under Password Tab, should be checked.
App B.1 Row “S/MIME Password Type” under Password Tab, select either “Normal” or “User CAC PIN and require CAC”.
App B.1 Row “Prevent Previously used Passwords” under Password Tab - Password Restrictions, should be set to 3 or more.
App B.1 Row “Restrict Use of repeated characters” under Password Tab - Password Restrictions, should be set to 1 or 2 characters.
§ 2.2 (WIR3250) All required wireless e-mail server and device configuration should be implemented.
App B.1 Row “Disallow PIN after first time use” under OTA Tab - PIN, should be checked. [§ 2.2 (WIR3100), App B.1 Row “Require Password”, App B.1 Row “S/MIME Password Type”, App B.1 Row “Prevent Previously used Passwords”, App B.1 Row “Restrict Use of repeated characters”, § 2.2 (WIR3250), App B.1 Row “Disallow PIN after first time use”, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

ISO Guidance

The system should be able to verify that user-generated secrets (for example, passwords) meet the organization's defined standards. The system also should be able to generate secrets that meet the defined standards and be able to provide a list of functions, such as a password-based authentication system, that must use the secret to operate. [§ 12.3, § G.3, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

A formal process should be in place for the granting and revoking of access to information systems. The access control procedures should include issuing unique IDs; checking the level of access; giving users a written statement of their rights; requiring users to sign a statement that they understand their rights; maintaining a record of who has access; and periodically checking and removing redundant user IDs. [§ 11.2.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

A formal procedure should be in place describing the password distribution process when the organization requires personnel to use passwords. [Annex A.11.2.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

A formal process should be in place for the granting and revoking of access to information systems. The access control procedures should include issuing unique IDs; checking the level of access; giving users a written statement of their rights; requiring users to sign a statement that they understand their rights; maintaining a record of who has access; and periodically checking and removing redundant user IDs. [§ 11.2.1, ISO/IEC 27002 Code of practice for information security management, 2005]

¶ 8.2.2(1-4) Logical Access Control and Audit. An organization should implement safeguards to enforce access control and audit. Safeguards in this area should be implemented to
• restrict access to information, computers, networks, applications, system resources, files and programs, and
• record details of error and user actions in audit trails and analyze the details recorded, in order to detect and handle security breaches in an appropriate manner.
A common means to enforce access control is to use the I&A (Identification & Authentication) details linked to access control lists defining what files, resources, etc. a user is permitted to access, and what form that access can take. Safeguards in the area of logical access control and audit are listed below.
1. Access Control Policy
For each user or group of users, there should be a clearly defined access control policy. This policy should grant access rights according to the business requirements, such as availability, productivity and the 'need to know' principle. The general idea should be: 'as many rights as necessary, as few rights as possible'. The allocation of access rights should take into account the organization’s approach to security (for example, open or restrictive) and culture to fulfill business needs and gain user acceptance.
2. User Access to Computers
Access control to computers is applied to prevent any unauthorized access to a computer. It should be possible to identify and verify the identity of each authorized user, with both successful and unsuccessful attempts logged. Computer access control can be aided by passwords, or by any other I&A (Identification & Authentication) method.
3. User Access to Data, Services and Applications
Access control should be applied to protect the data and services on a computer or within a network from unauthorized access. This can be done with help of appropriate I&A (Identification & Authentication) mechanisms, the appropriate interfaces between networked services, and the configuration of the network which ensures that only authorized access to IT services can take place (restrictive allocation of rights). To prevent unauthorized access to applications, role-based access control that allows access according to the business functions of the users, should be introduced.
4. Reviewing and Updating Access Rights
All access rights given to users should be reviewed regularly and updated if the security or business needs for access have changed. Privileged access rights should be reviewed more frequently to ensure that they are not misused. Access rights should be withdrawn immediately if they are no longer necessary.
¶ 9.2 Table Row “User Access to Data, Services and Applications” in safeguard Logical Access Control and Audit should be implemented under normal circumstances for Stand-alone Workstations, Workstations (Client without Shared Resources) Connected to a Network, and Servers or Workstations with Shared Resources Connected to a Network. [¶ 8.2.2(1-4), ¶ 9.2 Table Row “User Access to Data, Services and Applications”, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

ITIL Guidance

[§ 4.2, OGC ITIL: Security Management]

General Guidance

The access procedures should include procedures for granting system access privileges and permissions. [ID 8.2.2.d, AICPA/CICA Privacy Framework]

The registration and authorization process for new users and for updating or modifying user profiles should restrict logical access to the system. [¶ .17 § 3.1.a, ¶ .17 § 3.1.c, ¶ .20 § 3.4.a, ¶ .20 § 3.4.c, ¶ .24 § 3.5.a, ¶ .24 § 3.5.c, ¶ .29 § 3.4.a, ¶ .29 § 3.4.c, AICPA Suitable Trust Services Principles and Criteria]

The organization should ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges. [DS5.4, CobiT, Version 4.1]

The identity and access management policy should provide measures for authorizing and administering user access privileges consistently throughout the organization. [SM4.4.4(c), SM4.4.4(d), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

The use of privileged accounts should be kept to a minimum. User account management should be used to promote and maintain the security of the system. [§ 2.7.38, § 3.6.21, Australian Government ICT Security Manual (ACSI 33)]