3.4.5  has a weight of -5 points

(Configuration Management Family) 5/9

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Video:

Example of Sysytem Security Plan (SSP):

    1. System Security Plan (SSP) – Control 3.4.5: Define/Document/Approve/Enforce Physical/Logical Access Restrictions

      Purpose: To ensure that all changes, both physical and logical, to organizational systems are properly defined, documented, approved, and enforced.

      Scope: This procedure covers any changes to the hardware, software, and other related components of the company’s IT infrastructure.


      1. Authorization for Changes:
        • The [INSERT NAME/POSITION] is the sole individual empowered to authorize changes to the company’s hardware and software infrastructure.
        • All proposed changes must be presented and approved by this individual before any alterations commence.
      2. Execution of Changes:
        • [INSERT ENTITY/DEPARTMENT NAME] holds exclusive rights to conduct approved changes to the infrastructure.
        • All changes, once approved, are conducted strictly under the purview and oversight of this entity.
      3. Documentation and Record-keeping:
        • All approved changes are meticulously recorded in the central ticketing system maintained by [INSERT ENTITY/DEPARTMENT NAME].
        • This record retention ensures traceability and accountability for all changes made to the system.
        • On a monthly basis, a summarized report of all changes made to the system will be provided to the company by [INSERT ENTITY/DEPARTMENT NAME].
      4. Physical Access Restrictions:
        • Secure Area for CUI & Sensitive Assets:
          • All Controlled Unclassified Information (CUI), servers, backup systems, network appliances, and other sensitive technological assets are housed in a specially designated secure area of the building.
          • This area has been structurally fortified and equipped with additional security measures to deter unauthorized access, tampering, or compromise.
        • Access Control to Secure Area:
          • The IT closet or office within this secure area, which houses these crucial components, is kept securely locked at all times.
          • Access to this secured zone is strictly regulated. Only personnel explicitly authorized by [INSERT NAME/POSITION] and who have a demonstrated need-to-know are granted permission to access this space.
          • A biometric or card-based access control system, combined with CCTV surveillance, ensures that entry and exit are logged and can be audited if necessary.
        • Escorted Access:
          • Any other individual requiring access to the secured area for professional purposes must be escorted at all times while inside. An entry and exit log will be maintained, noting the reason for the visit and the duration of the stay.
      5. Roles and Responsibilities:
        • [INSERT NAME/POSITION]: Holds the authority to grant and authorize changes to the system’s hardware and software components.
        • [INSERT ENTITY/DEPARTMENT NAME]: Executes approved changes and maintains a record of all such changes in the central ticketing system.
        • IT Security Team: Ensures that the process laid out in this SSP is adhered to and may assist [INSERT NAME/POSITION] in the evaluation of proposed changes for potential security risks.
      6. Implementation Procedure:
        • All changes to the system, both physical and logical, are documented within this System Security Plan (SSP).
        • Steps leading to the implementation of approved changes are articulated in the accompanying Plan of Action and Milestones (POA&M).
      7. Review and Updates:
        • This SSP, along with its associated processes, will undergo periodic review to ensure it meets the evolving needs and challenges of the organization.
        • Adjustments, when necessary, will be made following the same procedure of approval and documentation laid out in this plan.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action and Milestones (POA&M) – Control 3.4.5


    1. Objective: Define/Document/Approve/Enforce Physical/Logical Access Restrictions

    2. Scope: Hardware, software, and other related components of the company’s IT infrastructure.


    Milestones:

    1. Authorization of Changes:

      • Status: In progress
      • Responsible Party: [INSERT NAME/POSITION]
      • Expected Completion: [INSERT DATE]
      • Comments: Awaiting final approval list for authorized personnel.
    2. Physical Security Measures Implementation:

      • Status: Pending
      • Responsible Party: Facility Management
      • Expected Completion: [INSERT DATE]
      • Comments: Plans for reinforced structures and advanced security mechanisms like biometrics and CCTV surveillance in final stages.
    3. Setup & Integration of Central Ticketing System:

      • Status: Initiated
      • Responsible Party: [INSERT ENTITY/DEPARTMENT NAME]
      • Expected Completion: [INSERT DATE]
      • Comments: The system is currently being integrated and tested for effectiveness.
    4. Monthly Reporting Mechanism:

      • Status: Not Started
      • Responsible Party: [INSERT ENTITY/DEPARTMENT NAME]
      • Expected Completion: [INSERT DATE]
      • Comments: Reporting templates and mechanisms are being designed.
    5. Access Control Implementation:

      • Status: In progress
      • Responsible Party: IT Security Team
      • Expected Completion: [INSERT DATE]
      • Comments: The team is currently evaluating best access control systems in the market.
    6. Training for Authorized Personnel:

      • Status: Scheduled
      • Responsible Party: HR & Training Department
      • Expected Completion: [INSERT DATE]
      • Comments: Training on procedures and protocols set in the SSP for all relevant personnel.
    7. Periodic Review of SSP:

      • Status: Ongoing
      • Responsible Party: IT Security Team & [INSERT ENTITY/DEPARTMENT NAME]
      • Expected Completion: Continuous activity, next review on [INSERT DATE]
      • Comments: Ensuring the SSP remains relevant and is updated as per organizational changes.
    8. Escorted Access Log Creation and Maintenance:

      • Status: In progress
      • Responsible Party: Security & Admin Teams
      • Expected Completion: [INSERT DATE]
      • Comments: Entry and exit logs are being designed; mechanisms for updates and audits are being established.

    Overall Progress: XX% (to be updated as milestones are achieved)

    Next Review Date: [INSERT DATE]

    RELEVANT INFORMATION:

    Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration. [SP 800-128] provides guidance on configuration change control.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.