3.1.7 has a weight of -1 points

System Security Plan (SSP)
Control: 3.1.7 – Prevention of Non-Privileged User Execution of Privileged Functions

Purpose:
To prevent non-privileged users from executing privileged functions and ensure the audit of such functions, thereby upholding system integrity and security.

Assessment Points:

Determination of Privileged Functions:

• Query: Are privileged functions distinctly defined within the system?
  • Sample Response: Privileged functions are specifically delineated within each individual system our authorized users have access to. Examples encompass file system permissions, such as granting access to privileged folders containing Controlled Unclassified Information (CUI), security groups, Organizational Units (OU’s), and user permission levels within diverse systems.

Identification of Non-Privileged Users:

• Query: How are non-privileged users identified and categorized within the system?
  • Sample Response: Non-privileged users are defined based on their role memberships, and by their classification as administrators or standard users, and by their account type.

Prevention Measures for Non-Privileged Users:

• Query: What mechanisms are in place to prevent non-privileged users from executing privileged functions?
  • Sample Response: Non-privileged users are barred from executing privileged tasks through mechanisms like Group Policy, file system permissions, and user access rights within each distinct system. This extends beyond the foundational OS in our domain, taking into account systems such as accounting or secure engineering platforms.

Auditing of Privileged Functions Execution:

• Query: How are the executions of privileged functions audited and monitored?
  • Sample Response: Execution activities are logged and tracked in our Security Information and Event Management (SIEM) system. This SIEM system aggregates and analyzes log data from various sources to identify any unauthorized or suspicious activities related to privileged functions.

SIEM System Effectiveness:

• Query: How effective is the SIEM system in detecting and alerting on unauthorized or suspicious activities related to privileged functions?
  • Sample Response: Our SIEM system is configured with advanced analytics and correlation rules, ensuring a high detection rate of anomalies. Regular reviews and updates of the SIEM configurations are conducted to ensure it remains effective against evolving threat patterns.

Implementation Strategy:

• SIEM system to comprehensively capture, log, and monitor the execution of privileged functions. 
• Users are granted the minimum privileges required to perform their assigned tasks effectively, avoiding excessive or unnecessary privileges.
• The company conducts regular reviews of user privileges to ensure alignment with their roles and responsibilities. Any unnecessary or outdated privileges are promptly removed.
• Comprehensive auditing and logging mechanisms are enabled in the systems, capturing the execution of privileged functions in audit logs.
• The company regularly monitors and analyzes audit logs to detect any unauthorized or suspicious activities related to privileged functions. Procedures are established for reviewing logs and responding to anomalies.
• Incident response procedures have been developed to promptly investigate potential security incidents or unauthorized access attempts related to privileged functions.
• Appropriate actions are taken to mitigate risks and prevent future occurrences based on the findings of incident investigations.

Plan of Action & Milestones (POA&M)

Control: 3.1.7 – Prevention of Non-Privileged User Execution of Privileged Functions

1. Determination of Privileged Functions

• Task: Inventory and document all privileged functions.

  Milestone: Complete inventory of privileged functions across all systems.

  Expected Completion Date: [Date]

  Status: [Not Started/In Progress/Completed]

  Responsible Party: System Admin Team / IT Department

  Comments: Start with systems containing CUI and then expand to other systems.

2. Identification of Non-Privileged Users

• Task: Review and document all user roles, identifying non-privileged users.

  Milestone: Complete documentation of non-privileged users.

  Expected Completion Date: [Date]

  Status: [Not Started/In Progress/Completed]

  Responsible Party: HR & IT Department

  Comments: Coordinate with department heads to ensure all roles are identified and classified.

3. Implementation of Prevention Measures

• Task: Deploy Group Policies, set file system permissions, and adjust user access rights to enforce policy.

  Milestone: All prevention measures deployed and tested.

  Expected Completion Date: [Date]

  Status: [Not Started/In Progress/Completed]

  Responsible Party: IT Security Team

  Comments: Regularly review and update these measures to align with changing business needs.

4. Enhancement of Auditing Capabilities

• Task: Configure SIEM system to capture specific privileged function execution logs.

  Milestone: SIEM system fully operational and capturing necessary logs.

  Expected Completion Date: [Date]

  Status: [Not Started/In Progress/Completed]

  Responsible Party: IT Security Team & SIEM Vendor (if applicable)

  Comments: Regular training for teams to understand and analyze SIEM logs effectively.

5. Regular Review of User Privileges

• Task: Implement a recurring review process of user privileges.

  Milestone: First review completed and process established for future reviews.

  Expected Completion Date: [Date]

  Status: [Not Started/In Progress/Completed]

  Responsible Party: IT Department & Department Heads

  Comments: Engage external auditors for an annual review to ensure objectivity and compliance.

6. Incident Response Preparedness

• Task: Conduct a drill simulating an unauthorized access attempt.

  Milestone: Successful completion of the drill and documentation of learnings.

  Expected Completion Date: [Date]

  Status: [Not Started/In Progress/Completed]

  Responsible Party: IT Security Team & Incident Response Team

  Comments: Regularly update incident response procedures based on drill outcomes and real-world incidents.

Monitoring & Updates: This POA&M will be reviewed and updated quarterly, or immediately after any significant changes in the IT environment or after any security incidents.

Approval:
[Authorized Signatory Name & Position]
[Date]

Privileged Functions List

Document Version: 1.0
Last Updated: [Date]
Review Date: [Annually or as needed]

List of Privileged Functions:

1. CUI Data Management:
   • Accessing, modifying, or deleting data classified as CUI.
   • Conducting backups of CUI or restoring CUI data from backups.
   • Direct access to raw database tables or records containing CUI.
2. System Configuration and Maintenance of CUI Systems:
   • Modifying system settings or configurations on platforms storing or processing CUI.
   • Installing, updating, or uninstalling software applications on CUI systems.
   • Restarting or shutting down services or servers hosting CUI.
3. User Account Management on CUI Systems:
   • Creating, modifying, or deleting user accounts with access to CUI.
   • Granting, altering, or revoking CUI access permissions.
   • Resetting passwords for users with access to CUI.
4. Network Configuration for CUI Systems:
   • Modifying firewall rules or settings to protect CUI.
   • Configuring VPN access to CUI systems.
   • Altering network routes leading to systems storing or processing CUI.
5. Security Management of CUI Systems:
   • Modifying security policies for systems holding CUI.
   • Disabling or enabling security features on CUI platforms, such as two-factor authentication.
   • Managing encryption keys or digital certificates related to CUI.
6. Audit & Log Management of CUI-Related Activities:
   • Accessing or modifying logs related to CUI access, modification, or deletion.
   • Clearing or deleting CUI-associated logs.
   • Configuring logging settings for CUI activities.
7. Software Development & Deployment for CUI Systems:
   • Direct access to production codebases that interact with CUI.
   • Deploying code or configurations to production environments that handle CUI.
   • Directly accessing databases containing CUI for debugging or maintenance.
8. Resource Management for CUI Systems:
   • Allocating or modifying system resources on platforms storing or processing CUI.
   • Modifying or managing virtual machines or containers used for CUI.

User Role Document for Handling CUI

Document Version: 1.0
Last Updated: [Date]
Review Date: [Annually or as needed]

User Roles & Access Privileges:

1. System Administrator (SysAdmin):
   • Description: Manages, configures, and maintains all IT systems, including those storing and processing CUI.
   • Privileges:
     • Full access to servers and databases containing CUI.
     • System backup and recovery.
     • Installing, updating, and managing software and security patches.
     • User account management, including granting and revoking access.
2. CUI Data Custodian:
   • Description: Oversees the storage, access, and management of CUI, ensuring compliance with applicable regulations and policies.
   • Privileges:
     • Access to CUI for quality checks, audits, and compliance.
     • Setting access controls for CUI repositories.
     • Monitoring and reviewing logs related to CUI access.
3. CUI Data Analyst:
   • Description: Accesses and works with CUI for analysis and reporting purposes.
   • Privileges:
     • Read-only access to specified CUI datasets.
     • Use of analytical tools on systems containing CUI, without direct database modification access.
4. Software Developer:
   • Description: Develops, tests, and deploys software tools that might interact with CUI.
   • Privileges:
     • Access to development and staging environments.
     • Restricted, monitored access to production environments (only when necessary).
     • No direct access to raw CUI databases.
5. End User (e.g., Staff, Project Managers, etc.):
   • Description: Requires access to CUI for their work-related tasks but does not manage the data.
   • Privileges:
     • Read-only access to designated CUI datasets through specific applications.
     • No ability to modify, delete, or export raw CUI.
6. Audit & Compliance Officer:
   • Description: Reviews and ensures compliance with regulations and standards related to CUI.
   • Privileges:
     • Read-only access to CUI for audit purposes.
     • Access to logs and activity reports related to CUI.
7. Contractor/Temporary Access:
   • Description: External or temporary members who require limited, short-term access to CUI.
   • Privileges:
     • Restricted, time-bound access to specific CUI datasets.
     • Access is monitored, logged, and reviewed regularly.
     • No export, modify, or delete privileges.

Data Classification Policy

Document Version: 1.0
Last Updated: [Date]
Review Date: [Annually or as needed]
Policy Owner: [Owner Name, e.g., Chief Information Security Officer]

1. Purpose:

This Data Classification Policy provides a framework for classifying company data based on its sensitivity and the impact that the unauthorized disclosure or modification of the data could have on the organization and its stakeholders.

2. Scope:

This policy applies to all data created, received, stored, processed, transmitted, or managed by [Company Name], regardless of format or storage medium. This includes electronic files, physical papers, and verbal communications.

3. Data Classification Levels:

3.1 Confidential (CUI and similar data)

• Definition: Data with the highest level of sensitivity. Unauthorized access could have severe legal, financial, or reputational consequences for the company.
• Examples: Controlled Unclassified Information (CUI), Social Security Numbers, proprietary research data, financial records.
• Protection Requirements: Encrypted at rest and in transit, accessible only by privileged roles, regular auditing, and monitoring.

3.2 Restricted

• Definition: Data that is sensitive and for internal use only, but might not have legal or severe financial implications if disclosed.
• Examples: Internal memos, project plans, marketing strategies.
• Protection Requirements: Secure storage, limited access controls, and periodic review of access logs.

3.3 Public

• Definition: Data that can be disclosed to the public without any negative implications for the company.
• Examples: Press releases, marketing brochures, product documentation.
• Protection Requirements: Standard storage, no specific access controls beyond those for general company assets.

4. Privileged Access Requirement:

Only the Confidential classification level typically requires privileged access due to the high sensitivity of the data. Access is granted based on the principle of least privilege, ensuring users can only access the data they need to perform their job functions.

5. Responsibilities:

5.1 Data Owners: Department heads or designated staff responsible for specific data sets must classify data at creation, when modified, or when new information is learned that affects its classification.

5.2 IT Department: Implement and manage the technical controls to support this policy.

5.3 All Employees: Must comply with this policy and report any suspected breaches or misclassifications.

6. Training and Awareness:

All staff will receive data classification training upon onboarding and refresher training annually. This will ensure that employees are informed of their responsibilities related to data handling and protection.

7. Violations:

Violations of this policy can result in disciplinary actions, up to and including termination. Legal actions might also be pursued for any unauthorized disclosure of Confidential data.

8. Review & Updates:

This policy will be reviewed annually or following significant changes to the company’s operations or the regulatory environment. Updates will be documented with the date, version, and a brief description of the changes.

This is a generic template and should be adjusted based on the specific needs, data types, and operational environment of the company in question. It’s also essential to consult with key stakeholders, legal teams, and data owners during the development and updating of such a policy.