Application and object access and separation enforcement

Status: Live

The organization will ensure that the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy, separating user functionality from system management functionality. [UCF ID 00558]

Supporting and supported controls

This control directly supports:

Operating system access management [UCF Control ID 00551]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 48; Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources, § A.3(3)(b)(2)(a); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 295F.05; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.15, Exhibit 4 SC-2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.12.1, § 3.12.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AC-3, SC-2 thru SC-4; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-3, SC-2, SC-3, SC-3(1), SC-3(2), SC-3(3), SC-3(4), SC-3(5), SC-4; CobiT 4.1, AI3.2; OGC ITIL: Security Management, § 4.2.4.2; Archer Control Table, ATCS-583

Banking and Finance Guidance

Operating system access should be segregated to limit full or root level access to the system. [Pg 48, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

An application security plan should be implemented, planning for the adequate security of each major application that is operating within the system. Access rules should be as stringent as possible to provide adequate security for the application and the information in it. [§ A.3(3)(b)(2)(a), Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources]

Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Application controls should be incorporated directly into individual computer applications to provide reasonable assurance of accurate and reliable processing. Application controls address three major operations—data input, data processing and data output. [§ 295F.05, GAO/PCIE Financial Audit Manual (FAM)]

US Internal Revenue Guidance

The organization must ensure the front end interface of the system is separated from the back end processing and data storage. [§ 5.6.15, Exhibit 4 SC-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.12.1, § 3.12.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

AC-3 states that the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.
Access control policies (e.g., identity-based policies, role-based policies, ruled-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant.
SC-2 states that the information system should separate user functionality (including user interface services) from information system management functionality. The information system should therefore physically or logically separate user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.
SC-3 states that the information system should isolate security functions from non-security functions. The information system isolates security functions from non-security functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.
1. The information system employs underlying hardware separation mechanisms to facilitate security function isolation.
2. The information system further divides the security functions with the functions enforcing access and information flow control isolated and protected from both non-security functions and from other security functions.
3. The information system minimizes the amount of non-security functions included within the isolation boundary containing security functions.
4. The information system security maintains its security functions in largely independent modules that avoid unnecessary interactions between modules.
5. The information system security maintains its security functions in a layered structure minimizing interactions between layers of the design.
SC-4 points out that the information system should prevent unauthorized and unintended information transfer via shared system resources. Control of information system remnants, sometimes referred to as object reuse, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system. [AC-3, SC-2 thru SC-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure user access and privileges are authorized; the system is configured correctly to enforce the access control policy; access to the system is controlled on a continual basis; user functionality is separated by physical and/or logical means from the system management functionality; security functions are isolated from non-security functions; the system uses hardware mechanisms to isolate the security functions; critical security functions are separated from non-security and other security functions; security functions are maintained in independent modules and avoid unnecessary interactions; security functions are designed in a layered structure; non-security functions are minimized in the isolation boundary of security functions; unauthorized or unintended information transfer is prohibited via shared system resources; and specific responsibilities and actions are defined for the implementation of the access enforcement control, the application partitioning control, the information remnants control, and the security function isolation control. Any problems discovered during the implementation of the access enforcement control, the application partitioning control, the information remnants control, and the security function isolation control should be documented and used to improve the controls.
Interviews should be conducted with personnel who have responsibilities for ensuring access enforcement controls are implemented and operating correctly, personnel who developed the system, and personnel with system and communications protection responsibilities. [AC-3, SC-2, SC-3, SC-3(1), SC-3(2), SC-3(3), SC-3(4), SC-3(5), SC-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ITIL Guidance

[§ 4.2.4.2, OGC ITIL: Security Management]

General Guidance

The organization should implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. [AI3.2, CobiT 4.1]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of user roles, systems, and application that comply with the separation of duties principle [UCF Control ID 01689]

Report on the percentage of systems and applications where assignment of user and administration privileges are in compliance with the policy that specifies role-based information access privileges [UCF Control ID 02096]