3.1.5 has a weight of -1 points

System Security Plan (SSP) SP-80171 Control 3.1.5

Title: Employing the Principle of Least Privilege

Purpose: The intent of this control is to ensure that users and processes within the organization are granted only the permissions and privileges required to perform their specific roles or tasks. This minimizes the potential damage from errors or the misuse of privileges.

Control Description:

1. Definition of Privileged Functions: The company clearly defines what constitutes privileged functions and documents them in the company’s personnel and technology list.

2. Assignment of Privileges: All users, including administrators with privileged access, are granted rights exclusively based on what is necessary for their respective roles. This ensures that they only have the rights required to perform functions aligned with their position.

3. Implementation & Enforcement: The company leverages Azure Active Directory and RBAC (Role-Based Access Control) to implement and enforce the principle of least privilege. This ensures that the roles defined come with the minimum set of privileges needed for the job function.

4. System-Specific Access: For isolated systems access is restricted solely to individuals whose roles directly involve the use of such systems. 

5. Periodic Review of Privileges: The company carries out regular assessments to re-evaluate the privileges designated to users, processes, and system accounts. This is to confirm continuous compliance with the principle of least privilege.

6. Monitoring & Compliance: Using tools like group policy, active directory, file share permissions, and specific system controls, the company monitors user activities and permissions, ensuring no over-privileged access exists.

Guidelines & Procedures:

• Identification of Privileged Accounts: Super user accounts, often linked with system administrator roles, are identified and tagged as ‘privileged’.

• Access Limitation: Regular users are barred from accessing privileged information or functionalities, reserving this access exclusively for authorized personnel.

• Lifecycle Application: The principle of least privilege is enforced throughout the lifecycle of organizational systems. This includes during phases like development, implementation, and regular operation.

• Continuous Monitoring: Systems have been implemented to constantly monitor and affirm the application of the least privilege principle, ensuring that access rights remain synchronized with business necessities and imposed restrictions.

Plan of Action & Milestones (POA&M) for System Security Plan (SSP) SP-80171 Control 3.1.5

1. Control Title: Employing the Principle of Least Privilege

2. Purpose: To ensure users and processes are given only the necessary permissions and privileges for their specific roles, thereby minimizing potential damage from errors or misuse.

Milestones:

M1: Definition of Privileged Functions

• Objective: Ensure that all privileged functions within the organization are properly defined and documented.
• Actions:
  • Review existing documentation to identify any gaps.
  • Engage with department heads and IT managers to compile a comprehensive list.
  • Update the company’s personnel and technology list with these functions.
• Due Date: [Set specific date]
• Responsibility: [Specific department or person]

M2: Assignment of Privileges

• Objective: Streamline the privileges granted to all users ensuring alignment with their roles.
• Actions:
  • Audit current user privileges.
  • Reassign or revoke permissions as necessary based on job roles.
• Due Date: [Set specific date]
• Responsibility: [Specific department or person]

M3: Implementation & Enforcement using Azure AD and RBAC

• Objective: Ensure proper role-based access control throughout the organization.
• Actions:
  • Review current Azure AD and RBAC configurations.
  • Update roles to match the defined job functions and privileges.
  • Train IT staff on the enforcement of these configurations.
• Due Date: [Set specific date]
• Responsibility: [Specific department or person]

M4: System-Specific Access Control

• Objective: Tighten access to isolated systems.
• Actions:
  • Identify all isolated systems.
  • Implement access controls to limit access to only necessary personnel.
• Due Date: [Set specific date]
• Responsibility: [Specific department or person]

M5: Periodic Review of Privileges

• Objective: Establish a routine review of privileges.
• Actions:
  • Set up quarterly audits of user permissions.
  • Develop a reporting system to identify any discrepancies.
• Due Date: [Set specific date for the first review]
• Responsibility: [Specific department or person]

M6: Monitoring & Compliance

• Objective: Ensure continuous monitoring of user activities and permissions.
• Actions:
  • Implement automated monitoring tools.
  • Train IT staff on response protocols when discrepancies are identified.
• Due Date: [Set specific date]
• Responsibility: [Specific department or person]

Guidelines & Procedures:

Ensure that guidelines and procedures align with the established milestones. Periodic training and awareness sessions should be conducted to keep staff informed about the importance of the principle of least privilege and the specific procedures tied to it.

1. Azure Active Directory (Azure AD):

   • This is Microsoft’s cloud-based identity and access management service. Azure AD helps employees sign in and access both external resources and internal resources. For the principle of least privilege, Azure AD can enforce user role assignments and restrict user access based on those roles.

2. RBAC (Role-Based Access Control):

   • Within Azure AD, RBAC can help ensure that only the appropriate users have access to specific resources. It restricts network access based on the roles of individual users within an organization.

3. Group Policy:

   • A feature of the Microsoft Windows NT family, including Windows 7, 8, 8.1, 10. Group Policy provides centralized management and configuration of operating systems, applications, and users’ settings. It can be used to assign specific permissions to user groups and enforce security settings across an organization.

4. Active Directory:

   • A Microsoft technology used to manage computers and other devices on a network. It can be used to assign and enforce security policies for all computers and install or update software.

5. File Share Permissions:

   • These are tools or features that allow administrators to control who can access files and directories across a shared network. This ensures that only authorized users can access, modify, or delete specific files or directories.

6. Specific System Controls:

   • This could be bespoke or specialized software tools designed for particular organizational needs. For instance, a company might have a custom tool to monitor and control access to a proprietary database or system.

7. Privileged Account Management (PAM) Solutions:

   • These are tools specifically designed to manage and monitor privileged accounts, such as those used by system administrators. Examples include CyberArk, BeyondTrust, and Thycotic.

8. Security Information and Event Management (SIEM) Systems:

   • Tools like Splunk, LogRhythm, and ArcSight can continuously monitor and analyze a company’s security events. They can help ensure that user activity is in line with their assigned privileges and quickly detect potential security threats.

9. Lifecycle Management Solutions:

   • Tools that manage user accounts and permissions throughout their lifecycle, from creation to deletion. This ensures that users only have access to resources they need during specific phases of their role or project.

10. Access Review Solutions:

• Platforms like SailPoint and Saviynt can facilitate periodic reviews of privileges, allowing organizations to re-evaluate and adjust permissions over time.

* You can use any combination of these tools or tools like these.