3.1.5 has a weight of -1 points
(Access Control Family) 5/22
Employ the principle of least privilege, including for specific security functions and privileged accounts.*
Video:
Example of System Security Plan (SSP):
System Security Plan (SSP) SP-80171 Control 3.1.5
Title: Employing the Principle of Least Privilege
Purpose: The intent of this control is to ensure that users and processes within the organization are granted only the permissions and privileges required to perform their specific roles or tasks. This minimizes the potential damage from errors or the misuse of privileges.
Control Description:
-
Definition of Privileged Functions: The company clearly defines what constitutes privileged functions and documents them in the company’s personnel and technology list.
-
Assignment of Privileges: All users, including administrators with privileged access, are granted rights exclusively based on what is necessary for their respective roles. This ensures that they only have the rights required to perform functions aligned with their position.
-
Implementation & Enforcement: The company leverages Azure Active Directory and RBAC (Role-Based Access Control) to implement and enforce the principle of least privilege. This ensures that the roles defined come with the minimum set of privileges needed for the job function.
-
System-Specific Access: For isolated systems access is restricted solely to individuals whose roles directly involve the use of such systems.
-
Periodic Review of Privileges: The company carries out regular assessments to re-evaluate the privileges designated to users, processes, and system accounts. This is to confirm continuous compliance with the principle of least privilege.
-
Monitoring & Compliance: Using tools like group policy, active directory, file share permissions, and specific system controls, the company monitors user activities and permissions, ensuring no over-privileged access exists.
Guidelines & Procedures:
-
Identification of Privileged Accounts: Super user accounts, often linked with system administrator roles, are identified and tagged as ‘privileged’.
-
Access Limitation: Regular users are barred from accessing privileged information or functionalities, reserving this access exclusively for authorized personnel.
-
Lifecycle Application: The principle of least privilege is enforced throughout the lifecycle of organizational systems. This includes during phases like development, implementation, and regular operation.
-
Continuous Monitoring: Systems have been implemented to constantly monitor and affirm the application of the least privilege principle, ensuring that access rights remain synchronized with business necessities and imposed restrictions.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M) for System Security Plan (SSP) SP-80171 Control 3.1.5
1. Control Title: Employing the Principle of Least Privilege
2. Purpose: To ensure users and processes are given only the necessary permissions and privileges for their specific roles, thereby minimizing potential damage from errors or misuse.
Milestones:
M1: Definition of Privileged Functions
- Objective: Ensure that all privileged functions within the organization are properly defined and documented.
- Actions:
- Review existing documentation to identify any gaps.
- Engage with department heads and IT managers to compile a comprehensive list.
- Update the company’s personnel and technology list with these functions.
- Due Date: [Set specific date]
- Responsibility: [Specific department or person]
M2: Assignment of Privileges
- Objective: Streamline the privileges granted to all users ensuring alignment with their roles.
- Actions:
- Audit current user privileges.
- Reassign or revoke permissions as necessary based on job roles.
- Due Date: [Set specific date]
- Responsibility: [Specific department or person]
M3: Implementation & Enforcement using Azure AD and RBAC
- Objective: Ensure proper role-based access control throughout the organization.
- Actions:
- Review current Azure AD and RBAC configurations.
- Update roles to match the defined job functions and privileges.
- Train IT staff on the enforcement of these configurations.
- Due Date: [Set specific date]
- Responsibility: [Specific department or person]
M4: System-Specific Access Control
- Objective: Tighten access to isolated systems.
- Actions:
- Identify all isolated systems.
- Implement access controls to limit access to only necessary personnel.
- Due Date: [Set specific date]
- Responsibility: [Specific department or person]
M5: Periodic Review of Privileges
- Objective: Establish a routine review of privileges.
- Actions:
- Set up quarterly audits of user permissions.
- Develop a reporting system to identify any discrepancies.
- Due Date: [Set specific date for the first review]
- Responsibility: [Specific department or person]
M6: Monitoring & Compliance
- Objective: Ensure continuous monitoring of user activities and permissions.
- Actions:
- Implement automated monitoring tools.
- Train IT staff on response protocols when discrepancies are identified.
- Due Date: [Set specific date]
- Responsibility: [Specific department or person]
Guidelines & Procedures:
Ensure that guidelines and procedures align with the established milestones. Periodic training and awareness sessions should be conducted to keep staff informed about the importance of the principle of least privilege and the specific procedures tied to it.
Tools Available:
-
Azure Active Directory (Azure AD):
- This is Microsoft’s cloud-based identity and access management service. Azure AD helps employees sign in and access both external resources and internal resources. For the principle of least privilege, Azure AD can enforce user role assignments and restrict user access based on those roles.
-
RBAC (Role-Based Access Control):
- Within Azure AD, RBAC can help ensure that only the appropriate users have access to specific resources. It restricts network access based on the roles of individual users within an organization.
-
Group Policy:
- A feature of the Microsoft Windows NT family, including Windows 7, 8, 8.1, 10. Group Policy provides centralized management and configuration of operating systems, applications, and users’ settings. It can be used to assign specific permissions to user groups and enforce security settings across an organization.
-
Active Directory:
- A Microsoft technology used to manage computers and other devices on a network. It can be used to assign and enforce security policies for all computers and install or update software.
-
File Share Permissions:
- These are tools or features that allow administrators to control who can access files and directories across a shared network. This ensures that only authorized users can access, modify, or delete specific files or directories.
-
Specific System Controls:
- This could be bespoke or specialized software tools designed for particular organizational needs. For instance, a company might have a custom tool to monitor and control access to a proprietary database or system.
-
Privileged Account Management (PAM) Solutions:
- These are tools specifically designed to manage and monitor privileged accounts, such as those used by system administrators. Examples include CyberArk, BeyondTrust, and Thycotic.
-
Security Information and Event Management (SIEM) Systems:
- Tools like Splunk, LogRhythm, and ArcSight can continuously monitor and analyze a company’s security events. They can help ensure that user activity is in line with their assigned privileges and quickly detect potential security threats.
-
Lifecycle Management Solutions:
- Tools that manage user accounts and permissions throughout their lifecycle, from creation to deletion. This ensures that users only have access to resources they need during specific phases of their role or project.
-
Access Review Solutions:
- Platforms like SailPoint and Saviynt can facilitate periodic reviews of privileges, allowing organizations to re-evaluate and adjust permissions over time.
* You can use any combination of these tools or tools like these.
RELEVANT INFORMATION:
Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.