Back

Establish, implement, and maintain an access classification scheme.


CONTROL ID
00509
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Identify external requirements for customer access., CC ID: 12736
  • Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme., CC ID: 00510
  • Establish, implement, and maintain security classifications for organizational assets., CC ID: 00005


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Practice Standard § I.2(6)[IT Controls].B.a: General control activities must be appropriately designed, including access control measures to prevent the unauthorized use or changing of the program. Practice Standard § III.4(2)[2].B.c: External auditors should verify that access control measures ha… (Practice Standard § I.2(6)[IT Controls].B.a, Practice Standard § III.4(2)[2].B.c, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Information assets have varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources and establishing specific security rules/requirements for each class, it is possible to define the level of ac… (Critical components of information security 3) ¶ 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Defining minimum access requirements for network services (Critical components of information security 24) iv. Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Removable media should not be inserted into any system that is classified at a lower level than the media. If the removable media is classified lower than the system it is being inserted into, it should be read-only media or inserted into a read-only device. (§ 3.11.16, Australian Government ICT Security Manual (ACSI 33))
  • Explains that when designing a record keeping system, it is important to determine policies that will govern the use of the system and the rules and procedures for operating the system. (§ D.4.1, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Requirements for the approval and documentation of the management of system and data access authorisations (Section 5.7 IDM-01 Basic requirement ¶ 1 Bullet 6, Cloud Computing Compliance Controls Catalogue (C5))
  • Access Control standards and procedures should take account of information classifications. (CF.06.01.02a-2, The Standard of Good Practice for Information Security)
  • Access Control standards and procedures should take account of information classifications. (CF.06.01.02a-2, The Standard of Good Practice for Information Security, 2013)
  • The organization should establish multi-level data identification schemes and multi-level classification schemes. (Critical Control 15.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • ¶ 8 Review Corporate IT Security Policy Requirements. The organizations corporate IT security policy may include statements on the need for confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability, as well as views on types of threat, and safeguard req… (¶ 8, ¶ 10, ¶ 10 Table 1 Row 10.1, ¶ 10 Table 1 Row 10.2, ¶ 10 Table 1 Row 10.3, ¶ 10 Table 1 Row 10.4, ¶ 10 Table 1 Row 10.5, ¶ 10 Table 1 Row 10.6, ¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • An organization should have clear guidelines indicating who is permitted access to records and who is not. To ensure proper access controls, an organization should manage the access process so that: • records are categorized according to their access status at a particular time • records are onl… (§ 9.7, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Standard procedures for applying access and security categories to records are a necessity. The development of these categories is also key. Categories will differ from organization to organization depending on their special needs. Generally speaking, access to records may be restricted to protect: … (§ 4.2.5, § 4.3.5, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The legally enforceable rights of, and restrictions on, access to organizational information and records needs to be identified in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The risk of the breach of privacy, and commercial, professional, or personal confidentiality needs to be identified in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The security issues of the organization needs to be identified in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The risk of breach to security needs to be ranked according to the damage assessment and likelihood of occurrence in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(d), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The identified areas of risk and security issues to the business activities needs to be mapped in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The appropriate levels of restriction from highest risk to lowest risk needs to be identified in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(f), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The levels of restriction to the classes of business activity records needs to be allocated in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(g), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Restrictions to access classification systems or thesauruses needs to be linked in order to develop an access classification scheme. (§ 4.2.5.2 ¶ 4(h), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • All information should be classified. This classification should be based on value, sensitivity, legal requirements, and criticality of the information to the organization. The classification policy should include guidelines for the initial classification and the reclassification of the data. The cl… (§ 7.2.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization should have implemented systems and procedures that uses the data sensitivity and the user's need to access personal information to determine the nature and level of access for each user. (Table Ref 8.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must implement operational controls for all IT technology users. (§ 7, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • User and system information and digital and non-digital formats must be designated at the "HIGH" security level. The system information shall be protected at the same level to ensure confidentiality, integrity, and availability. (§ 4.1.3 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must only allow authorized parties to access HCFA Privacy Act-protected and/or other sensitive HCFA information sent over the Internet. (§ 7 ¶ 1, HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
  • Security protections should be provided for the organization that are commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information maintained by the organization or systems used and operated by the organ… (§ 3544(a)(1)(A), § 3544(a)(2), § 3544(b)(1), Federal Information Security Management Act of 2002)
  • The organization must protect all classified information it can access and/or control. (§ 1-200, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Identifies access points and connection types that pose risk. (App A Objective 6.7.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Security controls and resources should be provided for computerized operations and supporting applications based on how they are prioritized. Resource classifications and criteria should be established and communicated to resource owners. (AC-1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 295F.02, GAO/PCIE Financial Audit Manual (FAM))
  • Is Access granted only to specific workstations on the internal network side of the router, when telnet, Secure Shell, or HyperText Transfer Protocol Secure is used for maintaining the router? (IT - Routers Q 18, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • App A.1: This appendix section provides the recommended role-based identity proofing, registration, and issuance process set for organizations that do not have a pre-existing personal identity verification (PIV) system. App A.2: This appendix section provides the system-based identity proofing, regi… (App A.1, App A.2, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Organizations are required to implement logical access control based on policy made by a management official responsible for a particular system, application, subsystem, or group of systems. The policy should balance the often-competing interests of security, operational requirements, and user-frien… (§ 3.12, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the integrity of information and applications is protected on publicly available systems, public access systems are continuously protected, and specific responsibilities and actions are defined for the implementation of the public acc… (SC-14, SC-14.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should implement controls to protect the integrity and availability of public information and applications. (App F § SC-14, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)