UCF ID: 01361 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain a security and internal control framework policy. [UCF Control ID 00820]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security, Pg 22; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 12.5.5; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-1(a), App F § AC-1(b); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-1.6; The Standard of Good Practice for Information Security, CB2.2.2, UE5.2.2(d), UE5.3.2(d), UE5.4.3(d), UE5.4.5, UE5.5.2(d), UE5.6.2(d); ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 11.13, § F.13; Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.03(3)10, § 17.04(4); Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 22, Pg 25; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 12.5.5; Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007, § 41.82(c)(1), § 41.82(d)(1), § 222.82(c)(1), § 222.82(d)(1), § 334.82(c)(1), § 334.82(d)(1), § 571.82(c)(1), § 571.82(d)(1), § 681.1(c)(1), § 681.1(d)(1), § 717.82(c)(1), § 717.82(d)(1); FTC FACT Act Red Flags Rule Template, July 1, 2009, § III.; AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009, § III; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(a)(4)(B)(v); ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.2(1-4), ¶ 10.3.4
Sarbanes Oxley Guidance
The organization should develop procedures for the regular monitoring of all activities to ensure the controls are operating correctly. [Pg 22, Pg 25, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]
Banking and Finance Guidance
The security policy should contain access rights to system resources and how those rights are administered. [Pg 22, FFIEC IT Examination Handbook – Information Security]
Payment Card Guidance
The organization must ensure all access to data is monitored and controlled.
Verify the responsibility for monitoring and controlling all access to data has been formally assigned in the information security policies and procedures. [§ 12.5.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]
The organization must ensure all access to data is monitored and controlled. [§ 12.5.5, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]
US Federal Security Guidance
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]
Consumer report the organizationers mthe organizationt develop and implement policies and procedures that are reasonable to ensure that the the organizationer can reasonably believe that the consumer report he/she receives relates to the consumer that was requested when a notice of address discrepancy is received by the the organizationer. Consumer report the organizationers mthe organizationt develop and implement policies and procedures that are reasonable to furnish a consumer's address that it has reasonably confirmed to be accurate to the consumer reporting agency that it receives a notice of address discrepancy report from when the the organizationer has a continuing relationship with the consumer, reasonably believes the consumer report relates to the consumer, and regularly furnishes information to the consumer reporting agency. [§ 41.82(c)(1), § 41.82(d)(1), § 222.82(c)(1), § 222.82(d)(1), § 334.82(c)(1), § 334.82(d)(1), § 571.82(c)(1), § 571.82(d)(1), § 681.1(c)(1), § 681.1(d)(1), § 717.82(c)(1), § 717.82(d)(1), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007]
Describe how the Identity Theft Protection Program relates to your firm’s other programs to protect customer data. [§ III., FTC FACT Act Red Flags Rule Template, July 1, 2009]
US Federal Privacy Guidance
Measures appropriate to the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to trace all access to records that contain sensitive personally identifiable information in order for the business entity to be able to determine who acquired or accessed sensitive personally identifiable information that pertains to a specific individual. [§ 302(a)(4)(B)(v), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]
NIST Guidance
App F § AC-1(a) The organization should develop, document, disseminate, and periodically review and update an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination within the organization, and compliance.
App F § AC-1(b) The organization should develop and document procedures to implement and monitor the access control policy and associated access controls. [App F § AC-1(a), App F § AC-1(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]
Documents and records should be examined to ensure the access control policy and procedures are continuously applied.
Interviews should be conducted with personnel who have access control responsibilities. [AC-1.6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
US State Laws and Protectorates Guidance
The comprehensive information security program must include monitoring of the program on a regular basis to ensure its operation will prevent unauthorized use of or access to personal information. Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems and must include system monitoring to detect unauthorized access or use. [§ 17.03(3)10, § 17.04(4), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]
ISO Guidance
The system should be able to transmit or receive user data in a way that the data is protected from modification, deletion, insertion, or replay errors. The system also should be able to tell if the data has been modified, deleted, inserted, or replayed once it has received it. [§ 11.13, § F.13, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]
¶ 8.2.2(1-4) Logical Access Control and Audit. An organization should implement safeguards to enforce access control and audit. Safeguards in this area should be implemented to
• restrict access to information, computers, networks, applications, system resources, files and programs, and
• record details of error and user actions in audit trails and analyze the details recorded, in order to detect and handle security breaches in an appropriate manner.
A common means to enforce access control is to use the I&A (Identification & Authentication) details linked to access control lists defining what files, resources, etc. a user is permitted to access, and what form that access can take. Safeguards in the area of logical access control and audit are listed below.
1. Access Control Policy
For each user or group of users, there should be a clearly defined access control policy. This policy should grant access rights according to the business requirements, such as availability, productivity and the 'need to know' principle. The general idea should be: 'as many rights as necessary, as few rights as possible'. The allocation of access rights should take into account the organization’s approach to security (for example, open or restrictive) and culture to fulfill business needs and gain user acceptance.
2. User Access to Computers
Access control to computers is applied to prevent any unauthorized access to a computer. It should be possible to identify and verify the identity of each authorized user, with both successful and unsuccessful attempts logged. Computer access control can be aided by passwords, or by any other I&A (Identification & Authentication) method.
3. User Access to Data, Services and Applications
Access control should be applied to protect the data and services on a computer or within a network from unauthorized access. This can be done with help of appropriate I&A (Identification & Authentication) mechanisms, the appropriate interfaces between networked services, and the configuration of the network which ensures that only authorized access to IT services can take place (restrictive allocation of rights). To prevent unauthorized access to applications, role-based access control that allows access according to the business functions of the users, should be introduced.
4. Reviewing and Updating Access Rights
All access rights given to users should be reviewed regularly and updated if the security or business needs for access have changed. Privileged access rights should be reviewed more frequently to ensure that they are not misused. Access rights should be withdrawn immediately if they are no longer necessary.
¶ 10.3.4 Masquerading of user identity. An organization should implement safeguards to prevent masquerading of user identity, which can be used to circumvent authentication and all services and security functions related to that. In conclusion it can lead to integrity problems whenever this masquerade allows access and modification to information. Safeguards in this area are listed below.
• I&A (Identification & Authentication): Masquerade becomes more difficult if I&A (Identification & Authentication) safeguards based on combinations of something known, something possessed, as well as intrinsic characteristics of users are applied.
• Logical access control and audit: Logical access control cannot distinguish between an authorized user and somebody masquerading as this authorized user, but the use of access control mechanisms in place can reduce the area of impact. Review and analysis of audit logs can detect unauthorized activities.
• Protection against malicious code: A way to acquire passwords is to introduce malicious code to capture passwords, protection against such software should be in place.
• Network management: Implement network management to prevent unauthorized access by masquerading as a user in traffic, e.g. e-mail.
• Data integrity protection: Additional protection can be provided using cryptographic means like digital signatures. [¶ 8.2.2(1-4), ¶ 10.3.4, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]
General Guidance
Procedures should in place to ensure data cannot be overwritten accidentally, changes to files and parameters are reviewed, unauthorized changes are detected, and the processed information is validated. The type of monitoring that will be used for wireless access, e-mail, instant messaging, Voice over Internet Protocol (VoIP), Internet access, and web browsing should be documented. [CB2.2.2, UE5.2.2(d), UE5.3.2(d), UE5.4.3(d), UE5.4.5, UE5.5.2(d), UE5.6.2(d), The Standard of Good Practice for Information Security]
To identify relevant Red Flags, the organization will assess these risk factors: 1) the types of covered accounts it offers, 2) the methods it provides to open or access these accounts, and 3) its previous experience with identity theft. [§ III, AICPA Red Flag Rule Identity Theft Prevention Program, November 1, 2009]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of individuals whose access privileges have been reviewed. [UCF Control ID 01690]
• Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy. [UCF Control ID 02103]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.