3.1.4 has a weight of -1 points

System Security Plan (SSP): Control for Separation of Duties through Role-Based Authentication and Control

1. Control Title: Separation of Duties using Role-Based Authentication and Control (RBAC)

2. Purpose: To ensure that system and data access rights are distributed among personnel in a way that reduces risk and prevents a single individual from executing security-sensitive operations without oversight.

3. Implementation:

3.1. General Approach: The company has recognized the significance of separating duties to minimize risks associated with fraudulent or unauthorized activities. To achieve this, the company has implemented role-based authentication and control (RBAC).

3.2. Technological Implementation:

• Azure Active Directory (AAD): The company uses Azure Active Directory to establish and enforce RBAC assignments. Azure AD’s inherent capabilities allow for fine-grained control, ensuring that users only have the specific access rights necessary for their roles.

• Group Policy (On-Premise): For on-premise systems, Group Policy is employed as an additional means to enforce separation of duties, especially for security-sensitive tasks.

3.3. Role Review and Maintenance:

• Monthly Review: Every month, the company reviews roles and permissions, leveraging both the company personnel and technology list. This review ensures that access rights remain aligned with each employee’s specific job functions and that no individual has excessive permissions.

3.4. Separation of Duties Principle:

• Risk-Level and Activity Collision: At its core, the control aims to reduce the risk of a single individual performing security-sensitive activities without oversight. The system is structured to require collaboration (from multiple individuals) for tasks that are deemed highly sensitive.

4. Roles and Responsibilities:

4.1. IT Department: Ensures the proper configuration of Azure AD and Group Policy, and periodically confirms their effectiveness.

4.2. Human Resources: Provides the IT Department with up-to-date personnel lists, job functions, and role changes to ensure accurate role assignments.

4.3. Management: Reviews and approves any changes to RBAC settings, ensuring alignment with organizational needs and security best practices.

5. Periodic Review and Updates:

The company commits to regularly reviewing and updating this control, at least annually, to adapt to changing organizational needs, technological advances, and emerging threats.

6. Conclusion:

By implementing the separation of duties through role-based authentication and control, the company ensures that potential risks associated with unauthorized or malicious activities are significantly reduced. It emphasizes the importance of collaborative oversight, particularly for security-sensitive operations.

7. Approvals:

• CISO: ____________________________ Date: ________

• Head of IT: _______________________ Date: ________

• Head of HR: _______________________ Date: ________

Plan of Action & Milestones (POA&M) for Separation of Duties through RBAC

1. Introduction:

This POA&M addresses security weaknesses related to the implementation of separation of duties using role-based authentication and control (RBAC) within our organization’s systems.

2. Identified Weaknesses:

2.1. Incomplete Implementation of Azure AD RBAC: Some system components are not yet integrated with Azure AD.

2.2. Infrequent Role Reviews: Currently, reviews of role assignments are irregular, leading to potential misalignments.

2.3. Lack of Training: Employees and IT personnel are not fully trained on RBAC principles and Azure AD functionalities.

3. Plan of Action:

3.1. Complete Azure AD Integration:

• Task: Integrate remaining system components with Azure AD.
• Responsible Party: IT Department
• Estimated Completion Date: MM/DD/YYYY
• Resources Needed: Dedicated IT personnel, Azure AD training materials

3.2. Standardize Monthly Role Reviews:

• Task: Establish a monthly review process for role assignments using both the company personnel and technology list.
• Responsible Party: HR and IT Departments
• Estimated Completion Date: MM/DD/YYYY
• Resources Needed: Updated personnel lists, RBAC system logs

3.3. Conduct RBAC Training:

• Task: Organize training sessions for employees and IT personnel on RBAC principles and Azure AD functionalities.
• Responsible Party: Training Department in collaboration with IT
• Estimated Completion Date: MM/DD/YYYY
• Resources Needed: Training materials, external RBAC expert (if necessary)

4. Monitoring and Progress Tracking:

Regular status updates will be required from each responsible party. Progress will be discussed during quarterly security meetings.

5. Budget Estimate:

An estimated budget should be calculated for each action, considering the resources needed, potential external consultancy fees, and any software or hardware expenses.

6. Approvals:

• CISO: ____________________________ Date: ________

• Head of IT: _______________________ Date: ________

• Head of HR: _______________________ Date: ________

• Head of Training: _________________ Date: ________

Here’s a guide to help you implement RBAC using Azure:

1. Understand Azure RBAC Roles:

   • Azure provides several built-in RBAC roles. Examples include Owner, Contributor, Reader, and User Access Administrator. Each role has a specific set of permissions.
   • You can also create custom roles if the built-in roles don’t meet your specific needs.

2. Access Azure Portal:

   • Navigate to the Azure Portal.

3. Select a Resource:

   • In the Azure Portal, go to the resource you want to manage access for. This could be a subscription, a resource group, or an individual resource like a virtual machine.
   • In the left-hand menu, select “Access control (IAM).”

4. Assign a Role:

   • Click “+ Add” and then “Add role assignment.”
   • Use the “Role” dropdown to select the appropriate role (e.g., Reader, Contributor).
   • Use the “Assign access to” dropdown to determine what this role applies to (e.g., User, Group, Service Principal).
   • In the “Select” field, find the user or group you wish to assign this role to and select them.
   • Click “Save.”

5. Creating Custom Roles (if needed):

   • If the built-in roles don’t match your needs, you can define custom roles.
   • Use Azure PowerShell, Azure CLI, or the REST API to define custom roles. Within these tools, you can specify the exact permissions (actions, notActions, dataActions, notDataActions) you want the custom role to have.

6. Role Assignments:

   • Once a role is assigned to a user, group, or service principal, that entity is granted access to Azure resources based on the permissions defined in the role.

7. Regularly Audit & Review:

   • Regularly review role assignments to ensure users have appropriate access levels. Consider implementing a periodic review process.

8. Conditional Access (Advanced):

   • For more granular control, you can use Azure Active Directory (Azure AD) Conditional Access to enforce controls on the access to apps in your environment based on specific conditions from a central location.

9. Integration with Azure AD:

   • Azure RBAC is deeply integrated with Azure AD, which allows you to use group memberships, self-service group management, and privileged identity management for more sophisticated access management.

10. Monitor Access & Activity:

    • Use Azure Activity Log to monitor who did what and when. This will give you insights into operations that were taken on specific resources.

Here’s a guide to help you implement RBAC using Google Coud Paltform:

1. Access Google Cloud Console:

   • Log in to the Google Cloud Console.

2. Navigate to IAM & Admin:

   • On the navigation menu (hamburger icon on the top-left corner), click on “IAM & Admin”.

3. Select Your Project:

   • Ensure you are in the right GCP project for which you want to manage access.

4. Add or Edit Members:

   • Click on the “ADD” button to add a new member or select an existing member to edit.
   • Enter the member’s email address (this can be a Google account, a Google group, a service account, or even a G Suite domain).
   • In the “Role” dropdown, select a predefined role that describes the permissions you want to grant. For instance, you can assign roles like “Compute Engine > Compute Admin” or “Storage > Storage Object Viewer”. These roles grant specific sets of permissions.
   • Click “Save” when you’re done.

5. Custom Roles:

   • If the predefined roles do not fit your needs, you can create custom roles.
   • Navigate to “IAM & Admin > Roles” and click “CREATE ROLE”.
   • Define the permissions you want this custom role to have.

6. Organization-Level Roles:

   • If you manage multiple GCP projects and want to set roles across them, you can do so by selecting the organization level in the IAM page, rather than a specific project. This is especially useful for large businesses.

7. Service Accounts:

   • For applications, use service accounts and assign roles to these accounts. A service account represents a non-human user that needs to authenticate and be authorized to access data across GCP services.

8. Best Practices:

   • Always follow the principle of least privilege: grant only the permissions necessary to perform a task.
   • Regularly review and audit roles and permissions, ensuring no outdated permissions exist.
   • Use Google groups to manage roles for teams. Instead of assigning a role to individual users, assign it to a Google group and manage membership within that group.

9. Test Access:

   • It’s essential to periodically test if the roles are functioning as expected. Ensure that those with access can perform their tasks and those without access are correctly restricted.

10. Monitoring & Logging:

• Utilize Google Cloud’s monitoring and logging tools, like Cloud Audit Logs, to keep an eye on who did what and when.

11. Training:

• Ensure your team is educated about the importance of access controls and the potential risks associated with misconfiguration.

Implementing RBAC in Google Cloud Platform ensures that you securely manage access to your GCP resources, allowing users to only perform actions that align with their roles and responsibilities.