Back

Include business security requirements in the access classification scheme.


CONTROL ID
00002
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme., CC ID: 00510

This Control has the following implementation support Control(s):
  • Interpret and apply security requirements based upon the information classification of the system., CC ID: 00003


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For the computer center and head and branch offices, the organization shall define the scope of operational authority of terminal operators for all transaction types. (O38, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization must ensure effective controls have been implemented for restricting Access to only information needed to fulfill their duties, if it grants personnel temporary access to the system. (Control: 0441 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must follow the temporary access to classified information requirements before it grants personnel emergency Access to the system. (Control: 0442, Australian Government Information Security Manual: Controls)
  • The organization must not grant personnel temporary access or emergency Access to systems that process, communicate, or store compartmented information or caveated information. (Control: 0443, Australian Government Information Security Manual: Controls)
  • The organization should use device Access Control or data loss prevention software to prevent media from being written to if there is not any business need. (Control: 0343, Australian Government Information Security Manual: Controls)
  • Does the organization make security considerations a routine part of the normal business processes? (Table Row I.9, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Must business associations, partners, contractors, and customers agree to abide by the company's protocols in order to keep access? (Table Row II.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The regulated user should maintain the procedures and records for accessing the system. (¶ 19.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • (§ 4.3.2, ISF Security Audit of Networks)
  • There should be documented standards / procedures for the provision of access to the organization's business applications by customers. (CF.05.01.01, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover Access Control requirements for customers. (CF.05.01.02c, The Standard of Good Practice for Information Security)
  • Access control requirements for customers should include access privileges required to access business applications or particular functionality in a business application. (CF.05.03.02b, The Standard of Good Practice for Information Security)
  • Access control arrangements should be upgraded in response to new business requirements. (CF.06.01.10b-3, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for the provision of access to the organization's business applications by customers. (CF.05.01.01, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover Access Control requirements for customers. (CF.05.01.02c, The Standard of Good Practice for Information Security, 2013)
  • Access control requirements for customers should include access privileges required to access business applications or particular functionality in a business application. (CF.05.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Access control arrangements should be upgraded in response to new business requirements. (CF.06.01.10b-3, The Standard of Good Practice for Information Security, 2013)
  • Access controls for critical business applications or sensitive business applications should be strengthened by requiring the connecting computing device to be trusted / known. (CF.05.03.04d, The Standard of Good Practice for Information Security, 2013)
  • ¶ 10 Table 1 Row 10.1 Type of Network Connection is a Connection within a single controlled location of an organization. A Descriptive Example is Interconnection between different parts of the same organization within the same controlled location, i.e. a single controlled building or site. ¶ 10 Ta… (¶ 10 Table 1 Row 10.1, ¶ 10 Table 1 Row 10.2, ¶ 10 Table 1 Row 10.3, ¶ 10 Table 1 Row 10.4, ¶ 10 Table 1 Row 10.5, ¶ 10 Table 1 Row 10.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement and have been authorized. (PR.AC-1.1, CRI Profile, v1.2)
  • Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement and have been authorized. (PR.AC-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Procedures exist to restrict logical access to the system and the confidential information resources maintained on the system, including procedures preventing customers, groups of individuals, or other entities from accessing confidential information other than their own. (Confidentiality Prin. and Criteria Table § 3.8 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Does the information security policy contain an access control policy? (§ B.1.8, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • The organization must ensure that the CMS business partner obtains satisfactory assurances that external business associates are providing appropriate safeguards for CMS sensitive information. (CSR 1.11.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Contractors that perform noncriminal justice ancillary functions on behalf of a noncriminal justice agency (private or public) for noncriminal justice functions shall be eligible for criminal justice information access. (§ 5.1.1.8, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The organization should ensure the service provider's data security standards meet or exceed the data security standards of the organization. (Pg 29, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The service provider must define the time period for non-user accounts, the accounts associated with devices. (Column F: AC-2(3), FedRAMP Baseline Security Controls)
  • Have adequate security measures been implemented to control access to the network? (IT - General Q 30, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do non-corporate personnel or vendors access the firewall? (IT - Firewalls Q 33, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has remote access only been granted to individuals based on business needs and/or job duties? (IT - Remote Access Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Establish and maintain procedures to control access to software programs for testing and revision. (§ 4.10.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization should prohibit privileged access to the Information System by non-organizational users. (App F § AC-6(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Local user access to the Industrial Control System components must be enabled only when it is necessary, authenticated, and approved. (App I § IA-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization identifies and selects the following types of information system accounts to support organizational missions/business functions: {organizationally documented information system account types}. (AC-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes network access to {organizationally documented privileged commands} only for {organizationally documented compelling operational needs} and documents the rationale for such access in the security plan for the information system. (AC-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization prohibits privileged access to the information system by non-organizational users. (AC-6(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements privileged access authorization to {organizationally documented information system components} for selected {organizationally documented vulnerability scanning activities}. (RA-5(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies and selects the following types of information system accounts to support organizational missions/business functions: {organizationally documented information system account types}. (AC-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes network access to {organizationally documented privileged commands} only for {organizationally documented compelling operational needs} and documents the rationale for such access in the security plan for the information system. (AC-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements privileged access authorization to {organizationally documented information system components} for selected {organizationally documented vulnerability scanning activities}. (RA-5(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies and selects the following types of information system accounts to support organizational missions/business functions: {organizationally documented information system account types}. (AC-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements privileged access authorization to {organizationally documented information system components} for selected {organizationally documented vulnerability scanning activities}. (RA-5(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies and selects the following types of information system accounts to support organizational missions/business functions: {organizationally documented information system account types}. (AC-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)