By Alan Jackson, CISSP
Whenever I think about policies and procedures, I am struck by the number of unwritten polices we use in everyday life. For example, I have an 8 year old son and a 10 year old daughter. Every Sunday through Friday I get up and make my kids breakfast before school. On special occasions, I make my wife breakfast and give her a mimosa. When Saturday rolls around, I get to sleep in. On those days, my children feed themselves. I sleep soundly knowing that my daughter will not make herself a mimosa with her breakfast. I know this because she hates the taste of them, and the champagne is stored in a location that she cannot access. We have an unwritten access control policy in our household. We have defined champagne as an adult beverage, and we keep our champagne in a location that our children can’t access.
In our previous article entitled “I know what I should do!” I explained that policies and procedures are important and necessary to ensure that your employees know how to behave. Today I will be discussing the access control “Family” listed in the National Institute of Standards and Technology (NIST) 800-53 document. Access Control is one of the most foundational subjects that you must address in your policies.
The first piece of an Access Control policy is to identify the different types of data that you are trying to control. This step is crucial because not all data is the same. Some of your information is not proprietary or confidential. Other data should be restricted to the employees of your firm. For example, your employees know all of the email addresses and titles of your firm employees. However, you may not want a hacker having that information. Other data within your network should be restricted to select employees. For example, payroll information should be restricted to your Human Resources group. You can use as many labels as you want, but I suggest a simple classification scheme of “Public,” “Private,” and “Restricted.” Write into your policy that all data will be classified and that you will grant access to data based on the “principle of least privilege.” The principle of least privilege states that employees will only be granted access to the data and systems that are necessary to perform their jobs.
Next, define how access will be granted when a user is created, changed or deleted. Include who can request changes to access, how that process will be accomplished, and how to ensure that access rights are properly implemented and tracked. This process should include a paper trail to ensure that access has been properly authorized, granted, changed, and removed. Finally, include how you will review and audit access rights to ensure that your employee’s access rights have not changed unexpectedly. If you have an external system that includes restricted data that you want clients to access, define how you will use multi-factor authentication on that system. If this external system does not use multi-factor authentication, explain why.
The next component that should be in your access control policy is a list of approved local and remote paths to data. This includes defining what remote access will be allowed on company devices, if you will allow access on personal devices, what access will be allowed on mobile devices, what wireless access will be allowed, what local access will be allowed, and how all of these communication channels will be secured. For example, your policy may state that wireless devices will not be allowed access to anything but “Public” information. Finally, define what access will be granted without authentication. This may include the information on your public website.
The final section of your access control policy should describe how to address successful and unsuccessful access attempts. This includes how login banners, notifications, and acceptable use messages will be used. It also includes how login failures with lockouts will be addressed, how to unlock accounts, and describe how to remotely wipe mobile devices after failed login attempts.
All of the above items are required components of the NIST Access Control family, and this list can look daunting. However, before you become overwhelmed, remember that unwritten policies exist all around us. Your job is to just write them down. Policies must be useful, understandable, and practical in order to be effective.
NIST Special Publication 800-53 (2013). Security and Privacy Controls for Federal Information Systems and Organizations.Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf