Every employee within your organisation will need to have access to certain computers, databases, information systems, and applications to perform their tasks. While human resources personnel may need access to sensitive health data of employees, your finance department may rely on accessing and using databases containing employee salary details. However, these access rights should be provided, modified, and revoked in line with your organisation’s access control policy and its access controls so that you can prevent unauthorized access to, modification of, and destruction of information assets. For instance, if you fail to revoke the access rights of a former employee, that employee may steal sensitive information. This control deals with how organisations should assign, modify and revoke access rights taking into account business requirements. While provisioning of access rights to critical information seems to be the first of a user stepping into the system, it is recommended to review, modify, and if necessary, delete the access right of the user in a long run. This is a common mistake of organisations that do not or forget to review and modify users’ access rights, which facilitates the ground for numerous information security incidents to happen. For instance, disgruntled employees degrading from a higher position to a lower position in an organisation could cause damage to critical information that they have access to using their escalated access rights. Similarly, an attacker might target sensitive information of the organisation utilizing a person with a lower position but escalated access rights within the organisation. Therefore, access rights provisioning, reviewing, modifying, and deleting within the access control policy is a considerable aspect of the organisation.
Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
To ensure access to information and other associated assets is defined and authorized according to the business requirements.
ISO 27002 Implementation Guidance
Provision and revocation of access rights
The provisioning process for assigning or revoking physical and logical access rights granted to an entity’s authenticated identity should include:
a) obtaining authorization from the owner of the information and other associated assets for the use of the information and other associated assets. Separate approval for access rights by management can also be appropriate;
b) considering the business requirements and the organization’s topic-specific policy and rules on access control;
c) considering segregation of duties, including segregating the roles of approval and implementation of the access rights and separation of conflicting roles;
d) ensuring access rights are removed when someone does not need to access the information and other associated assets, in particular ensuring access rights of users who have left the organization are removed in a timely fashion;
e) considering giving temporary access rights for a limited time period and revoking them at the expiration date, in particular for temporary personnel or temporary access required by personnel;
f) verifying that the level of access granted is in accordance with the topic-specific policies on access control and is consistent with other information security requirements such as segregation of duties;
g) ensuring that access rights are activated (e.g. by service providers) only after authorization procedures are successfully completed;
h) maintaining a central record of access rights granted to a user identifier (ID, logical or physical) to access information and other associated assets;
i) modifying access rights of users who have changed roles or jobs;
j) removing or adjusting physical and logical access rights, which can be done by removal, revocation or replacement of keys, authentication information, identification cards or subscriptions;
k) maintaining a record of changes to users’ logical and physical access rights.
Review of access rights
Regular reviews of physical and logical access rights should consider the following:
a) users’ access rights after any change within the same organization (e.g. job change, promotion, demotion) or termination of employment ;
b) authorizations for privileged access rights.
Consideration before change or termination of employment
A user’s access rights to information and other associated assets should be reviewed and adjusted or removed before any change or termination of employment based on the evaluation of risk factors such as:
a) whether the termination or change is initiated by the user or by management and the reason for termination;
b) the current responsibilities of the user;
c) the value of the assets currently accessible.
Consideration should be given to establishing user access roles based on business requirements that summarize a number of access rights into typical user access profiles. Access requests and reviews of access rights are easier managed at the level of such roles than at the level of particular rights. Consideration should be given to including clauses in personnel contracts and service contracts that specify sanctions if unauthorized access is attempted by personnel. In cases of management-initiated termination, disgruntled personnel or external party users can deliberately corrupt information or sabotage information processing facilities. In cases of persons resigning or being dismissed, they can be tempted to collect information for future use. Cloning is an efficient way for organizations to assign access to users. However, it should be done with care based on distinct roles identified by the organization rather than just cloning an identity with all associated access rights. Cloning has an inherent risk of resulting in excessive access rights to information and other associated assets.
All staff has a broad constituency with varying degrees of affiliation with the organization. One thing in common among all staff is that all require access to some type of organizational information for a determined period of time – they all become Users. At a high level, organizations can divide Users into two groups based on their type of affiliation with the organization:
- Formal Affiliation: These are Users whose affiliation to the organization is established by some kind of contract or agreement. Users in this group include staff members, employees, vendors, clients, and Management.
- Casual Affiliation: These are Users whose affiliation to the organization is transitory, periodic, mostly informational and not established by a contract or agreement. Users in this group include guests, retirees, the relative of employees, visitors for the website, etc.
Organisation must establish and implement appropriate procedures and controls to assign, modify and revoke access rights to information systems in compliance with the organisation’s access control policy and its access controls. An Information security officer should be responsible to establish, implement and review appropriate rules, processes, and controls for provision, modification and revocation of access rights to information systems. When assigning, modifying, and revoking access rights, the information security officer should consider business needs and should closely work with information asset owners to ensure that rules and processes are adhered to.
Provision and revocation of access rights
A process (however simple and documented) must be implemented to assign or revoke access rights for all user types to all systems and services. It s the set of processes for managing user attributes and policies that determine a user’s access rights to an information resource. In other words, what user attributes, job functions, and organizational affiliations can serve as the basis for access authorization decisions. Users should be granted the least privilege – the most restrictive set of permissions or access rights – needed to perform assigned work tasks. Two common problems are an excessive privilege and creeping privilege. The former happens when a user has more access or permissions than the assigned work tasks and/or role requires. The latter happens when a user account accumulates privileges over time as roles and assigned work tasks to change. Both problems are addressed by periodic review of user access rights. Management of Administrative privileges is particularly important since very common cyber-attack techniques take advantage of unmanaged administrative privileges. An attacker can trick a user into downloading an application from a malicious website or opening a malicious email attachment which contains executable code that installs and runs on the user’s device. In cases where users have administrative rights to their devices, the attacker can take over the device and install keystroke loggers, sniffers, etc. to find administrator passwords and other confidential data. Another common attack involves domain administration privileges in Windows environments potentially giving an attacker significant control over numerous devices and access to the data they contain.Provisioning and revoking process should include:
- Authorization from the owner of the information system or service for the use of the information system or service;
- Verifying that the access granted is relevant to the role being done;
- protecting against provisioning being done before authorization is complete.
User access should always be business led and access based around the requirements of the business. This might sound bureaucratic but it doesn’t need to be and effective simple procedures with role based access by systems and services can address it. Organisations should incorporate the following rules and controls into the process for assignment and revocation of access rights to an authenticated individual:
- Information asset owner should provide its authorization for access to and use of relevant information assets. Furthermore, organisations should also consider seeking separate approval from the management for granting access rights.
- Business needs of the organisation and its policy on access control should be taken into account.
- Organisations should consider segregating duties. For instance, the approval task and the implementation of access rights can be performed by separate individuals.
- When an individual no longer needs access to information assets, particularly when they are no longer part of the organisation, their access rights should be revoked immediately.
- Personnel or other staff working for the organisation temporarily can be provided with temporary access rights. These rights should be revoked when they no longer work for the organisation.
- Level of access provided to an individual should be in line with the organisation’s access control policy and should be reviewed and verified regularly. Furthermore, it should also be in accordance with other information security requirements such as segregation of duties as set out in Control 5.3.
- Organisations should ensure that access rights are not activated until the appropriate authorization procedure is completed.
- Access rights provided to each individual identifier, such as ID or physical, should be logged onto a central access control management system and this system should be maintained.
- If an individual’s role or duties change, their level of access rights should be updated.
- Removal or modification of physical or logical access rights can be carried out via the following methods: Removal or replacement of keys, ID cards, or authentication information.
- Changes to a user’s physical and logical access rights should be logged onto a system and should be maintained.
Review of Access Rights
Some data, due to its nature or confidentiality requirements, may be restricted from general access by users and may require additional levels of formal approval before being made available. Users are granted access to these data on a need-to-know basis – when there are justified work-related reasons for access or need to know. An important characteristic of need-to-know access is the access is granted for a limited period of time. When the reasons for access are no longer valid, access to the data is (or should be) revoked. Least privilege and need-to-know access underscore the importance of the periodic review of user accounts and their corresponding access rights. Dormant user accounts – active user accounts that show no activity for very long periods of time – poses an unnecessary risk for unauthorized access to confidential data. The periodic review of user accounts and corresponding access rights with system owners, disabling user accounts after a preset period of inactivity, purging them after a longer period of inactivity are all good practices to ensure that a system does not contain old, unused user accounts and to mitigate risk. Asset owners must review users’ access rights at regular intervals, both around individual change (on-boarding, change of role and exit) as well broader audits of the systems access. Authorizations for privileged access rights should be reviewed at more frequent intervals given their higher risk nature. This ties in with for internal audits and should be done at least annually or when major changes take place. Physical and logical access rights should go through periodic reviews taking into account:
- Changes in each user’s access rights after they are promoted or demoted within the same organisation, or after their employment is terminated.
- Authorization procedure for granting privileged access rights.
Change or Termination of Employment
Before an employee is promoted or demoted within the same organisation or when his/her employment is terminated, his/her access rights to information processing systems should be evaluated and modified by taking into account the following risk factors:
- Whether the termination process is initiated by the employee or by the organisation and the reason for termination.
- Current responsibilities of the employee within the organisation.
- Criticality and value of information assets accessible to the employee.
All access rights to information and information processing facilities must be revoked following termination of employment, contract, or agreement, as specified in the preceding paragraph (or adjusted upon change of role if required).
Organisations should consider establishing user access roles based on their business requirements. These roles should include the types and number of access rights to be granted to each user group. Creating such roles will make it easier to manage and review access requests and rights. Organisations should include contractual provisions for unauthorized access and sanctions for such access in their employment/service contracts with their staff. Organisations should be cautious against disgruntled employees who are laid off by the management because they may damage information systems on purpose. If organisations decide to use the cloning techniques to grant access rights, they should perform it on the basis of distinct roles established by the organisation. It should be noted that cloning comes with the inherent risk of granting excessive access rights.