3.1.1 has a weight of -5 points

(Access Control Family) 1/22

Does your company limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)?

Access control policy and procedures, Identification and authentication, Account monitoring and management access enforcement

Video

Implementation Details:

  • [3.1.1(a)]: The organization has identified and documented authorized users who are granted access to the system.
  • [3.1.1(b)]: The organization has identified and documented processes that are allowed to operate on behalf of authorized users.
  • [3.1.1(c)]: The organization has identified and documented devices (including other systems) that are authorized to connect to the system.
  • [3.1.1(d)]: The organization has implemented measures to limit system access only to those users who have been explicitly authorized.
  • [3.1.1(e)]: The organization has implemented measures to ensure that only processes acting on behalf of authorized users are granted access to the system.
  • [3.1.1(f)]: The organization has implemented measures to control access, ensuring that only authorized devices (including other systems) are allowed to connect to the system.

    Additional Questions:

    1. Does the company use passwords as a part of its authentication mechanism?
    2. Does the company have a well-defined authentication mechanism in place?
    3. Does the company require users to log on to gain access to the system?
    4. Are account requests authorized before granting system access to users?
    5. Does the company maintain a comprehensive list of authorized users, defining their identity and role? Is this list synchronized with the system, application, and data layers?

    Example of Sysytem Security Plan (SSP):

    The company utilizes Azure Active Directory services and Microsoft Intune to control access and manage the security of users, devices, and processes within the GCC High environment. This document outlines the controls implemented and the ongoing maintenance practices in place.

    1. Access Control:

    • Role-Based Access Control (RBAC): Access to the system is limited to authorized users and processes, managed via role-based access permissions in Azure.
    • Authentication Methods: This includes the use of user IDs and passwords, along with multi-factor authentication.
    • Conditional Access: Access for devices is limited based on conditional access rules implemented in Microsoft Intune.

    2. Device Management:

    • Device Enrollment: Intune enforces restrictions that require devices to be managed or enrolled in Intune before they are allowed to access the GCC High environment.

    3. Review and Monitoring:

    • Weekly User Base Review: The company performs a weekly review of the Azure user base, ensuring that no unauthorized users, processes, accounts, or devices have been added.
    • Setup Review and Maintenance: Regular review and maintenance of user services and devices within the Azure Active Directory services and Intune environments are conducted.

    4. Third-Party Management:

    • Managed IT Service Provider: The company leverages the expertise of a third-party managed IT service provider to assist in the implementation and maintenance of the above controls.

    5. Compliance:

    NIST 800-171: This plan aligns with the requirements of NIST 800-171, as applicable to the organization’s handling of Controlled Unclassified Information (CUI).

    Defined authorized users: The personnel with a legitimate business need to access the information system have been determined, and a list of authorized users who have been granted access has been created.

    Established user accounts: User accounts to access the information system resources, such as computers, servers, and cloud resources, have been ensured to be available only to authorized personnel. Any unnecessary or generic accounts have been removed.

    Associated processes with authorized users: All automated script updates and other processes have been associated with the specific user who initiated them. The use of generic account names for running scripts, especially for critical processes like backup scripts, has been avoided.

    Controlled device access: Measures have been implemented to limit which devices can access the information system. Devices are now authenticated and authorized before being granted access to our network.

    Secured VPN access: Our virtual private network (VPN) has been configured to allow only authorized devices to connect. Authentication mechanisms have been implemented to verify the legitimacy of devices attempting to establish a VPN connection.

    Regularly reviewed and updated access controls: Access controls have been periodically reviewed and updated to align with changes in personnel, business needs, and technology. Access rights for individuals who no longer require them have been promptly removed.

    Monitored and audited access: Monitoring and auditing mechanisms have been implemented to track access to the information system. Logs and reports are regularly reviewed to detect any unauthorized access attempts or unusual activity.

    Provided user training and awareness: Authorized users have been educated about the importance of limiting access and following security protocols. Regular training sessions have been conducted to ensure users are aware of best practices for information system access and the potential risks associated with unauthorized access

     

    Example of Plan of Action and Milestones ( POA & M):

    Milestones:

     

    Access Control:

    • Implement Role-Based Access Control in Azure
      • Responsible Party: IT Team
      • Start Date: [Date]
      • Target Completion Date: [Date]
      • Status: In Progress
    • Configure Multi-factor Authentication
      • Responsible Party: IT Team
      • Start Date: [Date]
      • Target Completion Date: [Date]
      • Status: Completed

    Device Management:

    • Enroll Devices in Microsoft Intune
      • Responsible Party: IT Team
      • Start Date: [Date]
      • Target Completion Date: [Date]
      • Status: In Progress

    Review and Monitoring:

    • Conduct Weekly Azure User Base Review
      • Responsible Party: Security Team
      • Start Date: [Date]
      • Status: Ongoing
    • Regular Maintenance of User Services
      • Responsible Party: Managed IT Service Provider
      • Start Date: [Date]
      • Status: Ongoing

    Third-Party Management:

    • Coordinate with Third-party IT Service Provider
      • Responsible Party: Management
      • Start Date: [Date]
      • Target Completion Date: [Date]
      • Status: Completed

    Compliance:

    • Align with NIST 800-171 Compliance
      • Responsible Party: Compliance Team
      • Start Date: [Date]
      • Target Completion Date: [Date]
      • Status: In Progress
    • Establish & Review User Accounts, Control Device Access, Secure VPN Access
      • Responsible Party: IT Team
      • Start Date: [Date]
      • Target Completion Date: [Date]
      • Status: Completed/In Progress
    • Monitor and Audit Access
      • Responsible Party: Security Team
      • Start Date: [Date]
      • Status: Ongoing
    • Provide User Training & Awareness
      • Responsible Party: HR & Training Team
      • Start Date: [Date]
      • Status: Ongoing

    PLEASE NOTE: The milestone titles provided are suggestions, and you can modify them according to your organization’s preferences and objectives.

    RELEVANT INFORMATION:

    Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by accounttype (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.

     

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.