Secure access to the operating systems of all system components.

UCF ID: 00551

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Technical security [UCF Control ID 00508]

This control has the following supporting controls:

Enforce assigned authorizations for system access and separate user functionality from system management functionality. [UCF Control ID 00558]

Ensure accounts and stored information are segregated from operating system access. [UCF Control ID 00552]

Use sign-on authentication management techniques. [UCF Control ID 00553]

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 47; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-613.a; CobiT, Version 4.1, AI3.2; ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 13.6, § H.6

Banking and Finance Guidance

The organization should restrict access to sensitive resources and be able to protect data at the program, file, record, or field level. [Pg 47, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

Only authorized personnel must be able to access the software, hardware, and/or firmware that performs security or systems functions. [§ 8-613.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

ISO Guidance

A list of all security management functions that the system can provide should be compiled. These security management functions include backup and recovery, allowing Administrators to define security-related parameters, and functions performed by operators for the continued operation of the product. [§ 13.6, § H.6, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

General Guidance

The organization should implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. [AI3.2, CobiT, Version 4.1]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems and applications where assignment of user and administration privileges is in compliance with the policy that specifies role-based information access privileges. [UCF Control ID 02096]