The organization will ensure that the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy, separating user functionality from system management functionality. [UCF ID 00558]
Supporting and supported controls
This control directly supports:
• Operating system access management [UCF Control ID 00551]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security Pg 48; CobiT 4.1 AI3.2; The Standard of Good Practice for Information Security CB3; ISO 17799:2000, Code of Practice for Information Security Management § 9.6; OGC ITIL: Security Management 4.2.4.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.12.1-2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 AC-3, SC-2 thru 4; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § AC-3, SC-2, SC-3, SC-3(1), SC-3(2), SC-3(3), SC-3(4), SC-3(5), SC-4; Clinger-Cohen Act (Information Technology Management Reform Act) A-130.III.A.3(3)(b)(2)(a); GAO Financial Audit Manual 295 F .05; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems § 3; DoD 5220.22-M, National Industrial Security Program Operating Manual § 8-6-6.b(1)
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Information Security Pg 48 states that operating system access should be segregated to limit full or root level access to the system.
US Federal Security Guidance
The Clinger-Cohen Act A-130.III.A.3(3)(b)(2)(a) calls for an application security plan, planning for the adequate security of each major application that is operating within the system. Access rules should be as stringent as possible to provide adequate security for the application and the information in it.
The GAO Financial Audit Manual 295 F .05 states that application controls should be incorporated directly into individual computer applications to provide reasonable assurance of accurate and reliable processing. Application controls address three major operations—data input, data processing and data output.
FIPS Publication 200, § 3 Specifications for Minimum Security Requirements calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
§ 3 Specifications for Minimum Security Requirements also calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
The DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) § 8-6-6.b(1) states that the IS shall store and preserve the integrity of the sensitivity of all information internal to the IS through discretionary access controls. A system has implemented discretionary access controls when the security support structure defines and controls access between named users and named objects (e.g., files and programs) in the system. The discretionary access control policy includes administrative procedures to support the policy and its mechanisms.
NIST Guidance
NIST 800-53 AC-3, the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.
Access control policies (e.g., identity-based policies, role-based policies, ruled-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization. Consideration is given to the implementation of a controlled, audited, and manual override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant.
SC-2 states that the information system should separate user functionality (including user interface services) from information system management functionality. The information system should therefore physically or logically separate user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.
Furthermore, SC-3 states that the information system should isolate security functions from non-security functions. The information system isolates security functions from non-security functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.
1. The information system employs underlying hardware separation mechanisms to facilitate security function isolation.
2. The information system further divides the security functions with the functions enforcing access and information flow control isolated and protected from both non-security functions and from other security functions.
3. The information system minimizes the amount of non-security functions included within the isolation boundary containing security functions.
4. The information system security maintains its security functions in largely independent modules that avoid unnecessary interactions between modules.
5. The information system security maintains its security functions in a layered structure minimizing interactions between layers of the design.
Finally, SC-4 points out that the information system should prevent unauthorized and unintended information transfer via shared system resources. Control of information system remnants, sometimes referred to as object reuse, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system.
International Standards Organization Guidance
ISO 17799 § 9.6 has a wealth of information on application access. It calls for a defined business access control policy to define and monitor user access to applications. Operating system software should provide protection from unauthorized use. The security of other systems with which resources are shared should not be compromised by the application system. Finally, the sensitivity of an application system should be explicitly identified and documented by the application owner.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 01689.doc
• Metric Reporting Standard 02096.doc