3.1.7 has a weight of -1 points
(Access Control Family) 7/22
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Video:
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP)
Control: 3.1.7 – Prevention of Non-Privileged User Execution of Privileged Functions
Purpose:
To prevent non-privileged users from executing privileged functions and ensure the audit of such functions, thereby upholding system integrity and security.
Assessment Points:
Determination of Privileged Functions:
- Query: Are privileged functions distinctly defined within the system?
- Sample Response: Privileged functions are specifically delineated within each individual system our authorized users have access to. Examples encompass file system permissions, such as granting access to privileged folders containing Controlled Unclassified Information (CUI), security groups, Organizational Units (OU’s), and user permission levels within diverse systems.
Identification of Non-Privileged Users:
- Query: How are non-privileged users identified and categorized within the system?
- Sample Response: Non-privileged users are defined based on their role memberships, and by their classification as administrators or standard users, and by their account type.
Prevention Measures for Non-Privileged Users:
- Query: What mechanisms are in place to prevent non-privileged users from executing privileged functions?
- Sample Response: Non-privileged users are barred from executing privileged tasks through mechanisms like Group Policy, file system permissions, and user access rights within each distinct system. This extends beyond the foundational OS in our domain, taking into account systems such as accounting or secure engineering platforms.
Auditing of Privileged Functions Execution:
- Query: How are the executions of privileged functions audited and monitored?
- Sample Response: Execution activities are logged and tracked in our Security Information and Event Management (SIEM) system. This SIEM system aggregates and analyzes log data from various sources to identify any unauthorized or suspicious activities related to privileged functions.
SIEM System Effectiveness:
- Query: How effective is the SIEM system in detecting and alerting on unauthorized or suspicious activities related to privileged functions?
- Sample Response: Our SIEM system is configured with advanced analytics and correlation rules, ensuring a high detection rate of anomalies. Regular reviews and updates of the SIEM configurations are conducted to ensure it remains effective against evolving threat patterns.
Implementation Strategy:
- SIEM system to comprehensively capture, log, and monitor the execution of privileged functions.
- Users are granted the minimum privileges required to perform their assigned tasks effectively, avoiding excessive or unnecessary privileges.
- The company conducts regular reviews of user privileges to ensure alignment with their roles and responsibilities. Any unnecessary or outdated privileges are promptly removed.
- Comprehensive auditing and logging mechanisms are enabled in the systems, capturing the execution of privileged functions in audit logs.
- The company regularly monitors and analyzes audit logs to detect any unauthorized or suspicious activities related to privileged functions. Procedures are established for reviewing logs and responding to anomalies.
- Incident response procedures have been developed to promptly investigate potential security incidents or unauthorized access attempts related to privileged functions.
- Appropriate actions are taken to mitigate risks and prevent future occurrences based on the findings of incident investigations.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M)
Control: 3.1.7 – Prevention of Non-Privileged User Execution of Privileged Functions
1. Determination of Privileged Functions
- Task: Inventory and document all privileged functions.
Milestone: Complete inventory of privileged functions across all systems.
Expected Completion Date: [Date]
Status: [Not Started/In Progress/Completed]
Responsible Party: System Admin Team / IT Department
Comments: Start with systems containing CUI and then expand to other systems.
2. Identification of Non-Privileged Users
- Task: Review and document all user roles, identifying non-privileged users.
Milestone: Complete documentation of non-privileged users.
Expected Completion Date: [Date]
Status: [Not Started/In Progress/Completed]
Responsible Party: HR & IT Department
Comments: Coordinate with department heads to ensure all roles are identified and classified.
3. Implementation of Prevention Measures
- Task: Deploy Group Policies, set file system permissions, and adjust user access rights to enforce policy.
Milestone: All prevention measures deployed and tested.
Expected Completion Date: [Date]
Status: [Not Started/In Progress/Completed]
Responsible Party: IT Security Team
Comments: Regularly review and update these measures to align with changing business needs.
4. Enhancement of Auditing Capabilities
- Task: Configure SIEM system to capture specific privileged function execution logs.
Milestone: SIEM system fully operational and capturing necessary logs.
Expected Completion Date: [Date]
Status: [Not Started/In Progress/Completed]
Responsible Party: IT Security Team & SIEM Vendor (if applicable)
Comments: Regular training for teams to understand and analyze SIEM logs effectively.
5. Regular Review of User Privileges
- Task: Implement a recurring review process of user privileges.
Milestone: First review completed and process established for future reviews.
Expected Completion Date: [Date]
Status: [Not Started/In Progress/Completed]
Responsible Party: IT Department & Department Heads
Comments: Engage external auditors for an annual review to ensure objectivity and compliance.
6. Incident Response Preparedness
- Task: Conduct a drill simulating an unauthorized access attempt.
Milestone: Successful completion of the drill and documentation of learnings.
Expected Completion Date: [Date]
Status: [Not Started/In Progress/Completed]
Responsible Party: IT Security Team & Incident Response Team
Comments: Regularly update incident response procedures based on drill outcomes and real-world incidents.
Monitoring & Updates: This POA&M will be reviewed and updated quarterly, or immediately after any significant changes in the IT environment or after any security incidents.
Approval:
[Authorized Signatory Name & Position]
[Date]
Example Privileged Functions:
Privileged Functions List
Document Version: 1.0
Last Updated: [Date]
Review Date: [Annually or as needed]
List of Privileged Functions:
- CUI Data Management:
- Accessing, modifying, or deleting data classified as CUI.
- Conducting backups of CUI or restoring CUI data from backups.
- Direct access to raw database tables or records containing CUI.
- System Configuration and Maintenance of CUI Systems:
- Modifying system settings or configurations on platforms storing or processing CUI.
- Installing, updating, or uninstalling software applications on CUI systems.
- Restarting or shutting down services or servers hosting CUI.
- User Account Management on CUI Systems:
- Creating, modifying, or deleting user accounts with access to CUI.
- Granting, altering, or revoking CUI access permissions.
- Resetting passwords for users with access to CUI.
- Network Configuration for CUI Systems:
- Modifying firewall rules or settings to protect CUI.
- Configuring VPN access to CUI systems.
- Altering network routes leading to systems storing or processing CUI.
- Security Management of CUI Systems:
- Modifying security policies for systems holding CUI.
- Disabling or enabling security features on CUI platforms, such as two-factor authentication.
- Managing encryption keys or digital certificates related to CUI.
- Audit & Log Management of CUI-Related Activities:
- Accessing or modifying logs related to CUI access, modification, or deletion.
- Clearing or deleting CUI-associated logs.
- Configuring logging settings for CUI activities.
- Software Development & Deployment for CUI Systems:
- Direct access to production codebases that interact with CUI.
- Deploying code or configurations to production environments that handle CUI.
- Directly accessing databases containing CUI for debugging or maintenance.
- Resource Management for CUI Systems:
- Allocating or modifying system resources on platforms storing or processing CUI.
- Modifying or managing virtual machines or containers used for CUI.
Example User Role Document:
User Role Document for Handling CUI
Document Version: 1.0
Last Updated: [Date]
Review Date: [Annually or as needed]
User Roles & Access Privileges:
- System Administrator (SysAdmin):
- Description: Manages, configures, and maintains all IT systems, including those storing and processing CUI.
- Privileges:
- Full access to servers and databases containing CUI.
- System backup and recovery.
- Installing, updating, and managing software and security patches.
- User account management, including granting and revoking access.
- CUI Data Custodian:
- Description: Oversees the storage, access, and management of CUI, ensuring compliance with applicable regulations and policies.
- Privileges:
- Access to CUI for quality checks, audits, and compliance.
- Setting access controls for CUI repositories.
- Monitoring and reviewing logs related to CUI access.
- CUI Data Analyst:
- Description: Accesses and works with CUI for analysis and reporting purposes.
- Privileges:
- Read-only access to specified CUI datasets.
- Use of analytical tools on systems containing CUI, without direct database modification access.
- Software Developer:
- Description: Develops, tests, and deploys software tools that might interact with CUI.
- Privileges:
- Access to development and staging environments.
- Restricted, monitored access to production environments (only when necessary).
- No direct access to raw CUI databases.
- End User (e.g., Staff, Project Managers, etc.):
- Description: Requires access to CUI for their work-related tasks but does not manage the data.
- Privileges:
- Read-only access to designated CUI datasets through specific applications.
- No ability to modify, delete, or export raw CUI.
- Audit & Compliance Officer:
- Description: Reviews and ensures compliance with regulations and standards related to CUI.
- Privileges:
- Read-only access to CUI for audit purposes.
- Access to logs and activity reports related to CUI.
- Contractor/Temporary Access:
- Description: External or temporary members who require limited, short-term access to CUI.
- Privileges:
- Restricted, time-bound access to specific CUI datasets.
- Access is monitored, logged, and reviewed regularly.
- No export, modify, or delete privileges.
Example Data Classification Policy:
Data Classification Policy
Document Version: 1.0
Last Updated: [Date]
Review Date: [Annually or as needed]
Policy Owner: [Owner Name, e.g., Chief Information Security Officer]
1. Purpose:
This Data Classification Policy provides a framework for classifying company data based on its sensitivity and the impact that the unauthorized disclosure or modification of the data could have on the organization and its stakeholders.
2. Scope:
This policy applies to all data created, received, stored, processed, transmitted, or managed by [Company Name], regardless of format or storage medium. This includes electronic files, physical papers, and verbal communications.
3. Data Classification Levels:
3.1 Confidential (CUI and similar data)
- Definition: Data with the highest level of sensitivity. Unauthorized access could have severe legal, financial, or reputational consequences for the company.
- Examples: Controlled Unclassified Information (CUI), Social Security Numbers, proprietary research data, financial records.
- Protection Requirements: Encrypted at rest and in transit, accessible only by privileged roles, regular auditing, and monitoring.
3.2 Restricted
- Definition: Data that is sensitive and for internal use only, but might not have legal or severe financial implications if disclosed.
- Examples: Internal memos, project plans, marketing strategies.
- Protection Requirements: Secure storage, limited access controls, and periodic review of access logs.
3.3 Public
- Definition: Data that can be disclosed to the public without any negative implications for the company.
- Examples: Press releases, marketing brochures, product documentation.
- Protection Requirements: Standard storage, no specific access controls beyond those for general company assets.
4. Privileged Access Requirement:
Only the Confidential classification level typically requires privileged access due to the high sensitivity of the data. Access is granted based on the principle of least privilege, ensuring users can only access the data they need to perform their job functions.
5. Responsibilities:
5.1 Data Owners: Department heads or designated staff responsible for specific data sets must classify data at creation, when modified, or when new information is learned that affects its classification.
5.2 IT Department: Implement and manage the technical controls to support this policy.
5.3 All Employees: Must comply with this policy and report any suspected breaches or misclassifications.
6. Training and Awareness:
All staff will receive data classification training upon onboarding and refresher training annually. This will ensure that employees are informed of their responsibilities related to data handling and protection.
7. Violations:
Violations of this policy can result in disciplinary actions, up to and including termination. Legal actions might also be pursued for any unauthorized disclosure of Confidential data.
8. Review & Updates:
This policy will be reviewed annually or following significant changes to the company’s operations or the regulatory environment. Updates will be documented with the date, version, and a brief description of the changes.
This is a generic template and should be adjusted based on the specific needs, data types, and operational environment of the company in question. It’s also essential to consult with key stakeholders, legal teams, and data owners during the development and updating of such a policy.
RELEVANT INFORMATION:
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.