Back

Establish, implement, and maintain an access control program.


CONTROL ID
11702
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Include instructions to change authenticators as often as necessary in the access control program., CC ID: 11931
  • Include guidance for how users should protect their authentication credentials in the access control program., CC ID: 11929
  • Include guidance on selecting authentication credentials in the access control program., CC ID: 11928
  • Establish, implement, and maintain access control policies., CC ID: 00512
  • Establish, implement, and maintain an access rights management plan., CC ID: 00513
  • Establish, implement, and maintain access control procedures., CC ID: 11663
  • Establish, implement, and maintain an identification and authentication policy., CC ID: 14033
  • Include digital identification procedures in the access control program., CC ID: 11841


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should implement appropriate policies, procedures and controls to manage user access rights to ensure that Relevant Information can only be altered for proper purposes by authorised personnel, and is otherwise free from damage or tampering. The sharing of system authenticati… (15., Circular to Licensed Corporations - Use of external electronic data storage)
  • A systematic process of applying and authorizing the creation of user ids and the access control matrix (Critical components of information security 5) (vi)(a), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Institutions should be aware of CS' typical characteristics such as multi-tenancy, data commingling and the higher propensity for processing to be carried out in multiple locations. Hence, institutions should take active steps to address the risks associated with data access, confidentiality, integr… (6.7, Guidelines on Outsourcing)
  • Strong access controls should be implemented to restrict administrative access to the hypervisor and host operating system as both control the guest operating systems and other components in the virtual environment. (§ 11.4.2, Technology Risk Management Guidelines, January 2021)
  • A trusted insider program is developed and implemented. (Security Control: 1625; Revision: 0, Australian Government Information Security Manual, March 2021)
  • implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administ… (Art. 9.4. ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Securing the authorisation and authentication of users of the cloud provider (usually privileged user) and the cloud customer in order to prevent unauthorised access. (Section 5.7 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Where strong authentication is applied, the use of the medium (e.g. ownership factor) is secure. (4.1.3 Requirements (should) Bullet 8, Information Security Assessment, Version 5.1)
  • Depending on the risk assessment, authentication procedure and access control have been enhanced by supplementary measures (e.g. permanent access monitoring with respect to irregularities or use of strong authentication, automatic logout or disabling in case of inactivity). (C, I, A) (4.1.2 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • All access to service interfaces should be constrained to authenticated and authorised individuals. (10. ¶ 1, Cloud Security Guidance, 1.0)
  • Access to all service interfaces (for users and providers) should be constrained to authenticated and authorised individuals. (10: ¶ 1, Cloud Security Guidance, 1.0)
  • Access to service interfaces should be constrained to authenticated and authorised individuals. (10. ¶ 1, Cloud Security Guidance, 2)
  • The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. (B2. ¶ 1, NCSC CAF guidance, 3.1)
  • You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function. (B2.d ¶ 1, NCSC CAF guidance, 3.1)
  • The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
  • Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are authentication policies and procedures documented and communicated to all users? (8.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are authentication policies and procedures documented and communicated to all users? (8.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for restricting access to cardholder data: - Documented - In use - Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are authentication policies and procedures documented and communicated to all users? (8.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for restricting access to cardholder data: - Documented - In use - Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are authentication policies and procedures documented and communicated to all users? (8.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for restricting access to cardholder data: - Documented - In use - Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are authentication policies and procedures documented and communicated to all users? (8.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for restricting access to cardholder data: - Documented - In use - Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are authentication policies and procedures documented and communicated to all users? (8.4(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Interview a sample of users to verify that they are familiar with authentication policies and procedures. (8.4.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users. (8.4.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for restricting access to cardholder data are: - Documented, - In use, and - Known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. (Control 20.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. (CIS Control 6: Safeguard 6.7 Centralize Access Control, CIS Controls, V8)
  • To manage access to cloud services by a cloud service customer's cloud service users, the cloud service provider should provide user registration and deregistration functions, and specifications for the use of these functions to the cloud service customer. (§ 9.2.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The cloud service provider should provide functions for managing the access rights of the cloud service customer's cloud service users, and specifications for the use of these functions. (§ 9.2.2 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service. (§ 9.4.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Access control software and rule sets are used to restrict logical access to information assets, including hardware, data (at rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components. (¶ 2.25 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • identification and authentication of authorized internal and external users; (CC5.1(1), TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Each Responsible Entity shall implement one or more documented access management program(s) that collectively include each of the applicable requirement parts in CIP-004-6 Table R4 – Access Management Program. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operatio… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • Electronic access; (CIP-004-6 Table R4 Part 4.1 Requirements 4.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • Each Responsible Entity shall implement one or more documented access management program(s) that collectively include each of the applicable requirement parts in CIP-004-7 Table R4 – Access Management Program. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning and Same Day Operatio… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Electronic access; and (CIP-004-7 Table R4 Part 4.1 Requirements 4.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the "Applicable Systems" identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively inc… (B. R6., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4). (§ 164.312(a)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under para… (§ 164.308(a)(3)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger org… (§ 164.308(a)(4)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. (§ 164.308(a)(4)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Determine whether management implements appropriate IAM processes and does the following: (App A Objective 14:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Safeguards systems against security threats and employs IAM, configuration management, and log monitoring. (App A Objective 13:6c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Develops and maintains a culture that fosters responsible and controlled access for users. (App A Objective 6.8.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Facilitate access enabling by physical and/or wireless means. (T0697, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Facilitate access enabling by physical and/or wireless means. (T0697, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation. (T0446, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)