3.1.2 has a weight of -5 points

(Access Control Family) 2/22

Does your company limit system access to the types of transactions and functions that authorized users are permitted to execute?

Video

Example of Sysytem Security Plan (SSP):

1. Introduction

This System Security Plan (SSP) describes the security protocols and measures utilized by [Company Name] for the protection of its IT resources, including the use of Microsoft Azure Active Directory, Role-Based Access Control (RBAC), and related technologies.

 

2. Access Control

  • Role-Based Access Control (RBAC): RBAC is implemented to enforce the types of transactions and functions that authorized users are permitted to execute.
  • Azure Active Directory: Utilized to manage and secure identities, enabling authorized users to access the required resources.
  • Multi-Factor Authentication (MFA): Implemented to protect authorized users, using Azure multi-factor authentication.

3. Conditional Access Policies

  • Intune Integration: Conditional access policies are enabled using Intune to set conditions on what users can access and the devices that can be used to access them.

4. Account Provisioning and Management

  • Provisioning Procedures: The company adheres to documented procedures for account provisioning and de-provisioning.
  • Access to CMC Environment: The creation of accounts for accessing the CMC environment is done as per documented procedures.

5. Monitoring and Auditing

  • Regular monitoring and auditing of all resources to ensure that the right users have the right access to the right resources.

6. Additional Security Measures

  • Azure Environment Protection: The Azure environment is protected by Azure multi-factor authentication.
  • Standard Operating Procedures (SOPs): Depending on the size and structure of the company, SOPs, recurring IT ticketing systems, or direct control may be in place.
  • Policy and Document Writing: In cases where further documentation is needed, policies are written to guide the controls and assessment procedures.

Example of Plan of Action and Milestones ( POA & M):

  • 1. Access Control

    a. Implement RBAC across all systems

    • Milestone 1: Identify user roles and responsibilities (Due Date)
    • Milestone 2: Configure RBAC settings in Azure (Due Date)
    • Milestone 3: Train staff on RBAC policies (Due Date)

    b. Strengthen Multi-Factor Authentication (MFA)

    • Milestone 1: Evaluate current MFA configuration (Due Date)
    • Milestone 2: Implement additional MFA methods if necessary (Due Date)

    2. Conditional Access Policies

    a. Enhance Intune Integration for Conditional Access

    • Milestone 1: Review current Intune policies (Due Date)
    • Milestone 2: Update or modify conditions as needed (Due Date)
    • Milestone 3: Monitor and audit compliance (Due Date)

    3. Account Provisioning and Management

    a. Update Account Provisioning Procedures

    • Milestone 1: Assess existing procedures (Due Date)
    • Milestone 2: Update documentation and process flow (Due Date)
    • Milestone 3: Train relevant staff on new procedures (Due Date)

    4. Monitoring and Auditing

    a. Implement Regular Auditing

    • Milestone 1: Establish regular audit schedule (Due Date)
    • Milestone 2: Perform initial audit (Due Date)
    • Milestone 3: Analyze audit results and make necessary adjustments (Due Date)

    5. Additional Security Measures

    a. Enhance Azure Environment Protection

    • Milestone 1: Review existing Azure multi-factor authentication settings (Due Date)
    • Milestone 2: Implement enhancements if necessary (Due Date)

    b. Develop and Implement SOPs and Policies

    • Milestone 1: Assess need for additional SOPs and policies (Due Date)
    • Milestone 2: Draft required documents (Due Date)
    • Milestone 3: Train staff on new policies (Due Date)

PLEASE NOTE: The milestone titles provided are suggestions, and you can modify them according to your organization’s preferences and objectives.

Access Control and RBAC Policy

Access Control and RBAC Policy

1. Purpose

The purpose of this policy is to define the controls and procedures related to access control and authentication within [Company Name], including the use of Role-Based Access Control (RBAC), Azure Active Directory, Multi-Factor Authentication (MFA), and other related technologies.

2. Scope

This policy applies to all employees, contractors, and third parties who have access to [Company Name]’s information systems and data.

3. Policy Statements

a. Role-Based Access Control (RBAC):

  • User roles and permissions shall be defined based on job functions and responsibilities.
  • Access to resources shall be restricted based on predefined roles.

b. Azure Active Directory:

  • User identities shall be managed and secured using Azure Active Directory.
  • Integration with organizational systems shall be maintained to ensure secure access.

c. Multi-Factor Authentication (MFA):

  • MFA shall be required for all users accessing sensitive or critical systems.
  • MFA shall be implemented using Azure multi-factor authentication or equivalent technologies.

d. Conditional Access Policies:

  • Conditions on access to resources shall be defined and enforced using technologies such as Intune.
  • Policies shall be maintained to regulate what users can access and the devices that can be used.

e. Account Provisioning and Management:

  • Procedures for account provisioning and de-provisioning shall be documented and followed.
  • This includes authorization for the creation of accounts used to access specific environments, such as the CMC environment.

f. Monitoring and Auditing:

  • Regular monitoring and auditing shall be conducted to ensure compliance with this policy.
  • Any violations or anomalies shall be reported and handled according to the incident response procedures.

4. Compliance and Enforcement

  • All employees and contractors must comply with this policy.
  • Failure to comply may result in disciplinary actions, up to and including termination of employment or contracts.
  • Regular reviews and audits shall be conducted to ensure ongoing compliance.

5. Review and Updates

  • This policy shall be reviewed annually or as needed to reflect changes in laws, regulations, or business needs.
  • Any changes must be approved by the appropriate management personnel.

6. References

  • [Company Name]’s System Security Plan (SSP)
  • [Other relevant documents or regulations]

7. Approval

  • Policy Owner: [Owner’s Name/Title]
  • Approval Date: [Date]

This policy provides a detailed guide for the key elements of access control and authentication as described in your SSP. It may need to be customized based on your specific organization’s requirements and compliance needs.

RELEVANT INFORMATION:

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

 

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.