Access Controls
AC-5 SEPARATION OF DUTIES
This control supervises the level of access granted to individuals as everyone is assigned separate roles and responsibilities. It is an important control measure as it helps protect the exploitation of the privileges by unauthorized individuals. Also, privileges of individuals must be clearly stated so that they are aware of their responsibilities and avoid any conflict.
Under this control, an organization shall take following steps:
Individuals must be assigned separate duties.
Roles and responsibilities of different individuals shall be documented.
An individual’s access to organization’s information system shall be based on his/her roles and responsibilities.
AC-7 UNSUCCESSFUL LOGON ATTEMPTS
This control helps prevents unauthorized access to organization’s information system.
Under this control, the organization shall take following steps:
Impose restrictions to number of unsuccessful logins attempted to the system.
In case the number of unsuccessful logins exceed the limit decided by the organization the account lock is initiated.
Control enhancements:
UNSUCCESSFUL LOGON ATTEMPTS | PURGE / WIPE MOBILE DEVICE
This shall be applied only to the organization authorized mobile devices. In case the threshold of consecutive unsuccessful login attempts, as decided by the organization, is breached, the organizational information is wiped off the device thus resulting the device to be good to be used as new. However, purging may not be required if the information is protected with powerful data encryption.
AC-8 SYSTEM USE NOTIFICATION
This control shall be implemented in information systems which are accessed by humans using logon interfaces. It displays important information which needs attention of the individual before they logon to the system. For instance, before logging in a warning message is displayed which includes the terms and conditions of usage of the network the individual is logging into.
Following shall be implemented by an organization under this control:
Privacy and security laws and notices are displayed as system notifications before allowing the user to enter the system. These are in line with the federal laws, orders, policies and guidelines.
Unless the user agrees to the usage guidelines and policies or act as directed in the notification, the notification remains on the screen.
In case of a publicly accessible system, the system notification shall
display the usage conditions before a user logs in.
display information that the usage may be monitored, recorded and audited based on the privacy accommodations for these systems.
display authorized use of system.
AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION
Under this control, whenever a user logs in to a system on a human-user interface, the user shall be notified of the last system access date and time.
Control enhancements:
UNSUCCESSFUL LOGONOnce a user enters the system, he shall be notified about the number of unsuccessful access attempts since the last login.
SUCCESSFUL / UNSUCCESSFUL LOGONSUser shall be notified about the number of attempts of successful and/or unsuccessful login to the system during a fixed period as decided by the organization, for example number of access attempts in last 30 days.
NOTIFICATION OF ACCOUNT CHANGESUser shall be notified of any changes in the account for example, password change, personal information changes etc. during a fixed period as decided by the organization.
ADDITIONAL LOGON INFORMATIONUpon successful login, the user shall be notified with additional information along with the date and time of last successful login. This additional information as decided by the organization can be location of last system access or guidelines to organization’s network usage.
AC-10 CONCURRENT SESSION CONTROL
This control shall restrict the concurrent sessions for any account to a specific number as per organization’s policy. Under this control an organization shall apply concurrent session restriction universally to all system accounts or account types.
AC-11 SESSION LOCK
This control shall ensure that when a user is temporarily away from the system the session lock preserves the state of the system while not logging out the user completely.
Under this control:
Session locks shall prevent access to system for a short duration when a user voluntarily initiates these locks or when the system is inactive for a specific duration.
Session locks shall be removed when user accesses the system again with their authorized credentials.
Control enhancements:
PATTERN-HIDING DISPLAYS
A publicly viewable image shall be displayed on the screen to hide the information available on the screen of the system before the session lock is applied.
AC-12 SESSION TERMINATION
This control shall ensure that a user session is terminated in case any of the organization defined event occurs for instance, inactive session for a specified duration. The session termination ends all user-initiated processes except for those which are created to continue to run in the background even after session terminates.
Control enhancements:
USER-INITIATED LOGOUTS / MESSAGE DISPLAYS
Whenever a user establishes a session on organization’s system using identified authentication credentials, user shall be provided with logout capability.
This control shall allow a message to be displayed on the screen to confirm that the authenticated session is terminated.
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
This control shall help in identification of the actions which the organization determines do not need authentication. Only a limited number of such user actions in the information system shall be allowed by an organization. For example, organization’s public website may be accessed by anyone to view the quarterly performance report published by the organization.
The organization shall include appropriate evidences in the security plan for all such user actions which do not need authentication.
AC-17 REMOTE ACCESS
Under this control, the organization shall determine the requirements, implementation directions and restrictions for different types of remote access permitted.
The organization shall also establish the authorization of remote access to the organization’s information system.
Control Enhancements:
AUTOMATED MONITORING / CONTROLThe monitoring of the remote access sessions will help the organization to determine whether the users are compliant with the organization’s policies of remote access and if there are any attempts of unauthorized access or attacks.
PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTIONCryptographic methods shall be employed in the information system to secure the confidentiality and integrity of remote access sessions.
MANAGED ACCESS CONTROL POINTSOrganization may restrict the number of access control points for remote access to limit the number of attack possibilities.
PRIVILEGED COMMANDS / ACCESS In case of special events or requirements the organization may allow access to sensitive information and execute privileged commands with remote access.
PROTECTION OF INFORMATION
Organization shall ensure that users refrain from unauthorized disclosure of any information with respect to remote access.
DISCONNECT / DISABLE ACCESSOrganizations must have the ability to discontinue any current remote sessions or prevent any access to the organization’s information system in future.
AC-18 WIRELESS ACCESS
Under this control, the organization shall determine the requirements, implementation directions and restrictions for use of wireless technologies.
The organization shall establish the authorization of the wireless technologies to the organization’s information system before these can be used.
Control enhancements:
AUTHENTICATION AND ENCRYPTION The wireless access to the organization’s information system shall be protected with the help of authentication of access authorizations and encryption.
DISABLE WIRELESS NETWORKINGThe organization’s wireless network implanted in the information system shall be disabled when it is not in use.
RESTRICT CONFIGURATIONS BY USEROnly authorized individuals for example, security administrators, shall be allowed to make configuration changes to the wireless networks.
ANTENNAS / TRANSMISSION POWER LEVELSOrganization shall set necessary configurations to make sure the usable signals do not depart beyond the organization’s operating area.
AC-21 INFORMATION SHARING
This control shall ensure that the information sharing is secure, and the sharing partners have the right level of access to this information.
Under this control, the organization shall ensure that authorized users decide whether the access restrictions on the information is in line with authorizations assigned to the sharing partners.
Organization shall implement processes either automated or manual that will assist authorized users in the process of information sharing.
Control enhancements:
AUTOMATED DECISION SUPPORTBased on the information’s access restrictions and authorizations of sharing partners the decision regarding information sharing shall be made by the authorized users. This decision shall be enforced by the information system.
INFORMATION SEARCH AND RETRIEVAL
Certain information sharing limitations shall be enforced on the process of information search and retrieval based on the information’s access restrictions.
AC-22 PUBLICLY ACCESSIBLE CONTENT
This control shall ensure that organization’s sensitive information is not made available publicly.
Under this control,
The organization shall employ individuals to share information on a publicly accessible system.
Before the information is posted on public platforms, it shall be reviewed by authorized individuals to make sure that no non-public or sensitive information is posted.
Authorized individuals shall be trained to ensure that the publicly available information does not contain non-public or sensitive information before it is posted.
The information on the public sites shall be reviewed regularly to check for and remove any sensitive information from the system.
AC-23 DATA MINING PROTECTION
This control shall ensure that the organization’s information resting in the data storage is protected against any unauthorized data mining activities.Under this control the organization shall apply techniques like notifying the authorized individual when anomalous database queries occur and restricting the number of queries made to the databases that store sensitive information.
AC-24 ACCESS CONTROL DECISIONS
This control shall ensure that access control decision is applied to any access authorization request before the access is granted.
Control enhancements:(1) TRANSMIT ACCESS AUTHORIZATION INFORMATIONAccess authorization information shall be transmitted to organization’s information system using organizational security shields.
2) USER OR PROCESS IDENTITYFor certain instances the access control decisions can be made without identification of the user information who is issuing the request. This may be when the user privacy is more important.
AC-25 REFERENCE MONITOR
Under this control, reference monitors shall be implemented to apply access control policies. These policies are mandatorily required to prevent individuals and systems to share the privileges with unauthorized entities. This way the reference monitors shall avert the violation of the security policies by malicious users.