3.1.6 has a weight of -3 points

(Access Control Family) 6/22

Use non-privileged accounts or roles when accessing nonsecurity functions

Video:

Example of Sytem Security Plan (SSP):

System Security Plan (SSP)
Control: 3.1.6 Use Non-privileged Accounts

Purpose:
To ensure that privileged account access is restricted to specific security tasks, facilitating the detection of anomalies or unauthorized access in system logs. 

Assessment Points:

  1. Identify Non-security Functions:
    Verify if non-security functions are meticulously listed and defined, often identifiable through Group Policies and individual system access restrictions. For example, role restrictions might inhibit individuals from executing certain actions or accessing specific records in an application.

  2. Use of Non-privileged Accounts:
    Ensure users are obligated to adopt non-privileged accounts or roles when performing non-security tasks. This is verifiable by attempting privileged actions with a standard account and checking for access denials.

Implementation Details:

  • All privileged account holders are equipped with non-privileged accounts, exclusively used for tasks not demanding elevated permissions.
  • Compliance monitoring and anomaly detection of these account usages are executed via our SIEM system.
  • All functions or tasks unrelated to security within the organization have been meticulously listed.
  • Elevated access privilege roles within systems have been explicitly identified.
  • Individuals are allocated non-privileged accounts or roles based on access necessities.
  • The organization has distinctly determined non-privileged accounts for accessing non-security functions.
  • Access control strategies like role-based access control (RBAC) are established to manage user access to diverse functions and resources.
  • Users are trained and educated on the necessity of non-privileged account usage for non-security tasks and informed of the risks of unnecessary elevated access.
  • Continuous monitoring of access logs and activities ensures the detection of any unauthorized or inappropriate use of privileged roles.
  • Comprehensive documentation related to access policies, role delineations, and relevant updates is consistently maintained.

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M)
System Security Plan (SSP)
Control: 3.1.6 Use Non-privileged Accounts

Objective:
Refine and enhance the implementation of the non-privileged accounts system to bolster security measures and to adhere to the defined control guidelines.

Tasks and Milestones:

  1. Review of Current Account Structure

    • Duration: 1 week
    • Responsibility: IT Admin Team
    • Action: Conduct a full audit of all current user accounts to determine which accounts have elevated permissions.
    • Expected Outcome: A complete list of all privileged accounts within the organization.
  2. Assessment of Non-security Functions

    • Duration: 2 weeks
    • Responsibility: System Architects and IT Admin Team
    • Action: Evaluate and list all non-security functions, ensuring they’re linked with Group Policies and individual system access restrictions.
    • Expected Outcome: A detailed list of non-security functions and associated access rights.
  3. Development and Roll-out of Non-privileged Accounts

    • Duration: 3 weeks
    • Responsibility: IT Admin Team
    • Action: Create or refine non-privileged accounts for all users, ensuring they align with access necessities.
    • Expected Outcome: Every user should have an appropriate non-privileged account for daily operations.
  4. Training and User Awareness

    • Duration: 2 weeks
    • Responsibility: Training Department & IT Team
    • Action: Organize workshops and training sessions emphasizing the importance of using non-privileged accounts for non-security tasks and potential risks of elevated access misuse.
    • Expected Outcome: An informed user base with clear understanding of the system and its benefits.
  5. Setup of SIEM Monitoring

    • Duration: 3 weeks
    • Responsibility: Security Team
    • Action: Implement or enhance the SIEM system settings to monitor privileged account activities and flag anomalies.
    • Expected Outcome: Efficient and prompt detection of any suspicious activities on privileged accounts.
  6. Evaluation of Role-Based Access Control (RBAC) Policies

    • Duration: 2 weeks
    • Responsibility: IT Admin Team
    • Action: Ensure RBAC is set up to manage user access effectively and revisit the policies if required.
    • Expected Outcome: Clearly defined roles and access controls in place.
  7. Review and Finalization

    • Duration: 1 week
    • Responsibility: IT Management Team
    • Action: Review all implemented changes, ensure compliance, and address any discrepancies or concerns.
    • Expected Outcome: Full compliance with the 3.1.6 Use Non-privileged Accounts control and enhanced security posture.

Follow-up and Continuous Monitoring:
Ongoing, with quarterly reviews to ensure adherence to the control guidelines, identification of potential improvements, and swift response to evolving threats.

RELEVANT INFORMATION:

This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.