ISO 27001:2022 A 8.3 Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy. There should be a complete description of the restriction applied to certain authorities under control access policies.Control on access should be applied complying to the stated access control policy and based on business application requirements. The organization can be controlling access to application system functionalities through menus and be limiting the data that a specific user has access to. User access privileges, such as read, write, delete, and execute control needs to be applied and also controlling other applications’ access rights. It must reduce the amount of data in outputs and there must be physical or logical access control to isolate sensitive applications, application data, and systems from the rest of the network.

Control

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

Purpose

To ensure only authorized access and to prevent unauthorized access to information and other associated assets.

ISO 270012 Implementation Guidance

Access to information and other associated assets should be restricted in accordance with the established topic-specific policies. The following should be considered in order to support access restriction requirements:

1. not allowing access to sensitive information by unknown user identities or anonymously. Public or anonymous access should only be granted to storage locations that do not contain any sensitive information;
2. providing configuration mechanisms to control access to information in systems, applications and services;
3. controlling which data can be accessed by a particular user;
4. controlling which identities or group of identities have which access, such as read, write, delete and execute;
5. providing physical or logical access controls for the isolation of sensitive applications, application data, or systems.

Further, dynamic access management techniques and processes to protect sensitive information that has high value to the organization should be considered when the organization:

1. needs granular control over who can access such information during what period and in what way;
2. wants to share such information with people outside the organization and maintain control over who can access it;
3. wants to dynamically manage, in real-time, the use and distribution of such information;
4. wants to protect such information against unauthorized changes, copying and distribution (including printing);
5. wants to monitor the use of the information;
6. wants to record any changes to such information that take place in case a future investigation is required.

Dynamic access management techniques should protect information throughout its life cycle (i.e. creation, processing, storage, transmission and disposal), including:
a) establishing rules on the management of dynamic access based on specific use cases considering:

1. granting access permissions based on identity, device, location or application;
2. leveraging the classification scheme in order to determine what information needs to be protected with dynamic access management techniques;

b) establishing operational, monitoring and reporting processes and supporting technical infrastructure.

Dynamic access management systems should protect information by:

1. requiring authentication, appropriate credentials or a certificate to access information;
2. restricting access, for example to a specified time frame (e.g. after a given date or until a particular date);
3. using encryption to protect information;
4. defining the printing permissions for the information;
5. recording who accesses the information and how the information is used;
6. raising alerts if attempts to misuse the information are detected.

Other information

Dynamic access management techniques and other dynamic information protection technologies can support the protection of information even when data is shared beyond the originating organization, where traditional access controls cannot be enforced. It can be applied to documents, emails or other files containing information to limit who can access the content and in what way. It can be at a granular level and be adapted over the life cycle of the information. Dynamic access management techniques do not replace classical access management [e.g. using access control lists (ACLs)], but can add more factors for conditionality, real-time evaluation, just-in-time data reduction and other enhancements that can be useful for the most sensitive information. It offers a way to control access outside the organization’s environment. Incident response can be supported by dynamic access management techniques as permissions can be modified or revoked at any time. Additional information on a framework for access management is provided in ISO 29146.

In order to maintain effective control over information and ICT assets, and in support of access restriction measures, organisations should ensure the following in line with a topic-specific approach to information access:

1. Prevent anonymous access to information, including far-reaching public access. Where public or third-party access is granted, organisations should ensure that access does not extend to sensitive or business critical data.
2. Operate with adequate maintenance measures that control systems access, and any associated business applications or processes.
3. Dictate data access on a user-by-user basis.
4. Specify data access rights between groups that validate specific data operations, such as read, write, delete and execute.
5. Retain the ability to partition off business critical processes and applications using a range of physical and digital access controls.

Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources. For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes

Dynamic access management has numerous residual benefits for organisational processes that feature the need to share or use internal data with external users, including faster incident resolution times. Dynamic access management techniques protect a broad range of information types, from standard documents to emails and database information, and have the ability to be applied on a granular file-by-file basis, enabling tight control of data on an organisational level. Organisation’s should consider such an approach when:

1. Requiring granular control over what human and non-human users are able to access such information at any given time.
2. The need arises to share information with external parties (such as suppliers or regulatory bodies).
3. Considering a “real-time” approach to data management and distribution that involves monitoring and managing data use as it occurs.
4. Safeguarding information against unauthorised amendments, sharing or output (printing etc).
5. Monitoring the access to and changing of information, particularly when the information in question is of a sensitive nature.

Dynamic access management is of particular use for organisations that need to monitor and protect data from creation through to deletion, including:

1. Outlining a use case (or series of use cases) that apply data access rules based on the following variables:
   • Identity
   • Device
   • Location
   • Application
2. Outlining a process that covers off the operation and monitoring of data, and establishing a thorough reporting process which is in turn informed by a sound technical infrastructure.

All efforts to formulate a dynamic access management approach should result in data being protected by:

1. Ensuring that access to data is the end result of a successful authentication process.
2. A degree of restricted access, based on the data type and its ability impact business continuity.
3. Encryption.
4. Printing permissions.
5. Thorough audit logs that record who access data, and how that data is being used.
6. An alerts procedure that flags up inappropriate data use, including (but not limited to) unauthorized access and distribution, and attempted deletion.

Features and concepts associated with Dynamic Access Management include:

1. Central access rules
A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy. If one or more central access rules have been defined , administrators can match specific rules to specific resources and business requirements.

2. Central access policies
Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:

• Identify and mark the files that contain the PII.
• Identify the group of HR members who are allowed to view the PII information.
• Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.

Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.

3. Claims
A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources.Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.

4. Expressions
Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.

5. Proposed permissions
Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them. Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.