By Alan Jackson, CISSP
In our previous article entitled “Mimosas with Breakfast,” I explained that Access Control is about defining what you are trying to control, and determining who can access it. Now that you have done so, you need to stipulate how to identify and authorize people so they can access it. However, identification and authorization is often overlooked in policy creation. That is because the concept of identification is so ingrained in how we think. From the time we are born, we are trained to recognize the face of our mothers and the voices of our friends. This identification happens so quickly, that we often don’t recognize it. Yet this recognition forms the basis of the Identification and Authorization “Family” listed in the National Institute of Standards and Technology (NIST) 800-53 document. This policy can be summed up as follows: I have to know who you are, before I can give you access to what you want. That is it. Pretty simple, huh? Now let’s list the elements of this policy.
The first piece of the Identification and Authorization policy is to define how you will identify people who physically enter your secure areas. You could state that a receptionist will sit at the front of your firm and will ensure that only authorized individuals are allowed on company premises. This piece could specify that all employees will be granted ID cards that will be used to enter the building and the doors will identify and authorize physical access. This piece should also include how you will handle identification of visitors. You could state that all visitors must have an appointment, and every visitor must present a physical ID before entering the firm.
Next, define how users will be logically identified on computer systems. Typically, this component includes usernames and passwords for computers. State that usernames will be for all users. Define how long passwords must be, how complicated they must be, how long they will exist before they expire, how many failed login attempts will be allowed before the account is locked, how the account can be unlocked, and who is responsible to administer the system. If alternative identification mechanisms are used, they should also be listed. This includes biometrics and access tokens. Any systems that require multi-factor authentication should be noted as well.
Next, define how access tokens like keys, fobs, and passwords, will be kept safe. Administratively, this could include a regular inventory of keys and a statement that all passwords on systems will be centrally encrypted. For your users, the policy could state that users will not write down, share passwords, or reuse the same password over and over again.
Next, you should define how you will identify devices on your network. If you are a small firm, that may be a manual process where you take a quarterly walk through and inventory your network. Larger firms may have electronic systems that notice when unauthorized devices are plugged in. This section is designed to help avoid any unauthorized computers or devices being plugged into your network, or any authorized device from disappearing.
Next, define the systems that require no unique identification. This can include a public kiosk that doesn’t require a username and password, or a shared computer that has a shared username and password. For example, if you share a trading system and everyone uses the same username and password, write it down. If you can’t identify individual user actions, then it should be listed.
Finally, define how you will handle non-organizational users who want to connect to your network. How will you identify them? How will you log their behavior? How will you remove their identification tokens when they are done on your network? For example, you could state that all guests will be granted access to firm network resources as needed. In order to do so, each external party will be granted a unique username and password. Once the non-organizational user no longer requires access to your network, their username and password will be immediately deleted.
As you can see, the purpose of all of this is summed up above. You have to know who somebody is, before you grant them access. Now this list can be overwhelming, however you may be doing much of this already. Your job is to write what you are doing down. Policies must be useful, understandable, and practical in order to be effective.
NIST Special Publication 800-53 (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf