Operating system access management

Status: Live

The organization will secure access to the operating systems of all system components by securing access to system utilities, restricting privileged access, logging access to sensitive resources, and limiting other logical and physical access. [UCF ID 00551]

Supporting and supported controls

This control directly supports:

Technical security [UCF Control ID 00508]

This control has the following supporting controls:

Application and object access and separation enforcement [UCF Control ID 00558]

Ensure accounts (and stored information) are segregated from operating system access [UCF Control ID 00552]

Employ sign-on authentication management [UCF Control ID 00553]

Authority documents complied with:

AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, § 319.18; FFIEC IT Examination Handbook – Information Security, Pg 47; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-613.a; CobiT 4.1, AI3.2; ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 13.6, § H.6

Sarbanes Oxley Guidance

[§ 319.18, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Banking and Finance Guidance

The organization should restrict access to sensitive resources and be able to protect data at the program, file, record, or field level. [Pg 47, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

Only authorized personnel must be able to access the software, hardware, and/or firmware that performs security or systems functions. [§ 8-613.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

ISO Guidance

A list of all security management functions that the system can provide should be compiled. These security management functions include backup and recovery, allowing Administrators to define security-related parameters, and functions performed by operators for the continued operation of the product. [§ 13.6, § H.6, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

General Guidance

The organization should implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. [AI3.2, CobiT 4.1]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems and applications where assignment of user and administration privileges are in compliance with the policy that specifies role-based information access privileges [UCF Control ID 02096]