3.1.15 has a weight of -1 points

(Access Control Family) 15/22

Authorize remote execution of privileged commands and remote access to security-relevant information.

Example of Sysytem Security Plan (SSP):

    1. The company identified privileged commands that involved the control, monitoring, or administration of the system, including security functions.
    2. Security-relevant information within the system that could impact security functions or the provision of security services was identified.
    3. Access control policies and mechanisms were implemented to regulate remote execution of privileged commands and remote access to security-relevant information.
    4. Roles and responsibilities were defined, and appropriate privileges were assigned to authorized individuals or groups based on their job functions and needs.
    5. Strong authentication methods, such as multi factor authentication, were implemented for individuals attempting remote execution of privileged commands or accessing security-relevant information.
    6. Monitoring systems and procedures were implemented to track and log remote access activities involving privileged commands and security-relevant information.
    7. Regular reviews of access logs were conducted, anomalies were analyzed, and prompt investigations were initiated for any suspicious or unauthorized activities.
    8. Clear authorization and approval processes were defined for remote execution of privileged commands and remote access to security-relevant information.
    9. Periodic reviews and audits of the authorization and access control mechanisms were conducted to ensure alignment with the organization’s policies and security requirements.

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Identification of Privileged Commands and Security-Relevant Information

    Task 1: Identify privileged commands that involve the control, monitoring, or administration of the system, including security functions.                                             Target completion date: August 31, 2023.                                                                       

    Task 2: Identify security-relevant information within the system that could impact security functions or the provision of security services.                                                     Target completion date: September 15, 2023.

     

    Milestone 2: Implementation of Access Control Policies and Mechanisms

    Task 1: Implement access control policies and mechanisms to regulate remote execution of privileged commands and remote access to security-relevant information. Consider software solutions compatible with NIST SP 800-171.                                    

    Target completion date: September 30, 2023.

     

    Milestone 3: Definition of Roles, Responsibilities, and Privileges      

    Task 1: Define roles and responsibilities for authorized individuals or groups based on their job functions and needs.

    Target completion date: October 15, 2023.

    Task 2: Assign appropriate privileges to authorized individuals or groups for remote execution of privileged commands or accessing security-relevant information.              

    Target completion date: October 31, 2023.

     

    Milestone 4: Implementation of Strong Authentication Methods

    Task 1: Implement strong authentication methods, such as multi factor authentication, for individuals attempting remote execution of privileged commands or accessing security-relevant information.                                                                                          

    Target completion date: November 15, 2023.

     

    Milestone 5: Monitoring and Log Analysis

    Task 1: Implement monitoring systems and procedures to track and log remote access activities involving privileged commands and security-relevant information.                        

    Target completion date: November 30, 2023.                                                                

    Task 2: Conduct regular reviews of access logs, analyze anomalies, and initiate prompt investigations for any suspicious or unauthorized activities. Target completion date: Ongoing process with regular reviews and investigations scheduled every quarter.

     

    Milestone 6: Authorization and Approval Processes

    Task 1: Define clear authorization and approval processes for remote execution of privileged commands and remote access to security-relevant information.                    Target completion date: December 15, 2023.

     

    Milestone 7: Periodic Reviews and Audits

    Task 1: Conduct periodic reviews and audits of the authorization and access control mechanisms to ensure alignment with the organization’s policies and security requirements. Target completion date: Ongoing process with regular reviews and audits scheduled every quarter.



    RELEVANT INFORMATION:

    A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Security-relevant information is any information within the system that can potentially impact the operation of security

    functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself.

    Explanation

    Privileged commands are special instructions or actions that have higher levels of control or authority within a computer system. These commands are typically executed by individuals who have specific permissions or elevated privileges, such as system administrators or IT personnel.Think of it as having a key that unlocks certain capabilities or functions in a system. Privileged commands allow individuals to perform tasks that involve controlling, monitoring, or administering the system, including important security functions. These commands often have the ability to access sensitive or critical information within the system.The reason these commands are considered privileged is that they carry a higher level of risk if misused. They have the potential to impact the security, integrity, or proper functioning of the system. By authorizing remote execution of privileged commands, organizations can control and monitor access to these powerful actions, ensuring that only authorized individuals with the necessary expertise and responsibilities can perform them.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.