MSU SBDC CyberSecurity

Level 1 Header

Access Control

AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Overview

  • This requirement focuses on account management for systems and applications.
  • Access Control Policies
    • Control access between active entities or subjects and passive entities or objects in systems
  • Access Control
    • The process of granting or denying resources such as information, processing services, or access to company facilities.
  • Logical Access Control
    • Refer to tools and protocols for managing interactions with computer systems.
      • Prescribes the type of access that is allowed for users, processes, or devices
    • Controls can be built in a number of different ways:
      • Internal to the operating system
      • Written into applications
      • Designed within products such as communication systems or databases
  • User Access Security
    • Refers to the set of procedures by which authorized users access the system and unauthorized users are prevented accessing the system.

Assessment Questions

  • Does the company use passwords?
  • Does the company have an authentication mechanism?
  • Does the company require users to logon to gain access?
  • Are account requests authorized before system access is granted?
  • Does the company maintain a list of authorized users, defining their identity and role and sync with system, application, and data layers?

Actions

  • Control who can use company computers and who can log on to the company network.
  • Require usernames and passwords or other authentication methods before allowing access to system resources.
  • Limit the services and devices, like printers, that can be accessed by company computers.
  • Ensure accounts for users are properly authorized before system access is granted.
  • Manage a comprehensive list of all authorized users and job roles and sync with applications or devices responsible for making access decisions.
  • Set up your system so that unauthorized users and devices cannot get on the company network.

Relevant Personnel

  • Employees with account management responsibilities
  • System/network administrators
  • Employees with responsibilities for managing remote access connections
  • Employees with information security responsibilities
  • Employees with access enforcement responsibilities
  • System developers

Scenarios

  • You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.
  • A coworker from the marketing department tells you their boss wants to buy a new multifunction printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

References

  • NIST Handbook 162, Sec. 3.1.1
  • FAR Clause 52.204-21 b.1.i
  • NIST SP 800-171 Rev 1 3.1.1
  • CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11
  • NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
  • CERT RMM v1.2 TM:SG4.SP1
  • NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17
  • AU ACSC Essential Eight

AC.1.002: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Overview

  • Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both.
  • System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.
  • Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin.
  • In defining other account attributes, organizations consider system-related requirements (e.g system upgrades scheduled maintenance,) and mission or business requirements (e.g time zone differences, customer requirements, remote access to support travel requirements).
  • Only allow the users that are permitted to perform actions to access those components of the system.
  • Users are restricted to only the part of a system that they are explicitly permitted to use.

Assessment Questions

  • Do you use access control lists to limit access to applications and data based on role and/or identity?
  • Does the system allow for the separation of access control rights and enforcement of those rights?

Actions

  • Implement access control lists that permit access to data/functionality based upon a user's role and/or identity.
  • Separate the duties of creating access control rights and enforcing those rights.
    • Helps to protect against potential rogue employees

Relevant Personnel

  • Personnel with account management responsibilities
  • System/network administrators
  • Personnel with responsibilities for managing remote access connections
  • Personnel with information security responsibilities
  • Personnel with access enforcement responsibilities
  • System developers

Scenario

  • You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company's network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.

References

  • NIST Handbook 162, Sec. 3.1.2
  • FAR Clause 52.204-21 b.1.ii
  • NIST SP 800-171 Rev 1 3.1.2
  • CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11
  • NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4
  • CERT RMM v1.2 TM:SG4.SP1
  • NIST SP 800-53 Rev 4 AC-2, AC-3, AC-17

AC.1.003: Verify and control/limit connections to and use of external information systems.

Overview

  • This requirement also addresses the use of external systems for the processing, storage, or transmission of Federally Contracted Information
    • This includes accessing cloud services from organizational systems.
      • E.g. Infrastructure as a service, platform as a service, or software as a service
  • External Systems
    • Are systems or components of systems for which organizations typically have no direct supervision and authority over
    • External systems include personally owned systems, components, or devices and privately owned computing and communications devices

Assessment Questions

  • Are only authorized individuals permitted external access?
  • Are guidelines and restrictions placed on the use of personally owned or external system access?
  • Do those systems meet the security standards set by the company?
  • Are the number of access points to the system limited to allow for better monitoring of inbound and outbound network traffic?

Actions

  • Ensure via access control policies that only authorized individuals are permitted external access.
  • Establish restrictions for use of personally owned or external system access.
  • Ensure that any external systems meet the security standards set by the organization.
  • Create a limit for the number of connections that are permitted.
    • This helps with better monitoring of inbound and outbound network traffic

Relevant Personnel

  • Employees with responsibilities for defining terms and conditions for use of external information systems to access company systems
  • System/network administrators
  • Employees with information security responsibilities

Scenario

  • You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done. Part of the proposal includes Federal Contract Information, or FCI. FCI is information that you or your company get from doing work for the Federal government. Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.

References

  • NIST Handbook 162, Sec. 3.1.20
  • FAR Clause 52.204-21 b.1.iii
  • NIST SP 800-171 Rev 1 3.1.20
  • CIS Controls v7.1 12.1, 12.4
  • NIST CSF v1.1 ID.AM-4, PR.AC-3
  • CERT RMM v1.2 EXD:SG3.SP1
  • NIST SP 800-53 Rev 4 AC-20, AC-20(1)

AC.1.004: Control information posted or processed on publicly accessible information systems.

Overview

  • This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication.
  • Individuals authorized to post CUI onto publicly accessible systems are designated.
  • The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Assessment Questions

  • Do only authorized employees post information on publicly accessible information systems?
  • Are authorized employees trained to ensure that CUI and non-public information is not posted?
  • Is public information reviewed annually to ensure that CUI and non-public information is not posted?
  • Is the proposed content of publicly accessible information reviewed prior to posting?

Actions

  • Create procedures that permit only authorized personnel to post information on publicly accessible information systems.
  • Implement training practices that teach authorized employees on the proper methods to ensure CUI and other sensitive company information is not posted.
  • Establish a review procedure before any post is submitted to ensure the content does not expose any CUI.

Relevant Personnel

  • Employees with responsibilities for managing publicly accessible information posted on company information systems
  • Employees with information security responsibilities

Scenario

  • You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public. You allow only certain employees to post to the website.

References

  • NIST Handbook 162, Sec. 3.1.22
  • FAR Clause 52.204-21 b.1.iv
  • NIST SP 800-171 Rev 1 3.1.22
  • NIST SP 800-53 Rev 4 AC-22