Access Controls (from NIST)
This access control list and description are meant to tie the access control to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- Access control policy and procedures (low) - These define the security policies about access controls covering:
- Password policy - password length, password complexity, password expiration, bad logon attempts, and may specify security protocols to use.
- Access to the internet - Who and what access. How is access limited? What is allowed and not allowed for groups or individuals?
- Defines how access to external business resources is done.
- Defines types of users that can use the system, what functions the users can perform, and what resources they can access.
- Defines types of accounts, groups, resource access, and access rights for systems and the network.
- Specifies how often account lists are reviewed to be sure they are current.
- Account management (low) - Includes:
- Identify and manage account types
- Determine groups, memberships, and group privileges and access.
- Account creation - there should be an account creation process.
- Account removal and/or disabling - there should be an account removal process.
- Periodic review of accounts for accuracy.
- Access enforcement (low)
- Prevent use of path traversal to bypass access controls from web applications
- Use secure hard to guess user IDs for applications.
- Require the user to authenticate before allowing access to resources. Don't let the user bypass access controls. For web applications, don't let the user browse past the login page to a deeper page.
- Make sure file permissions are set properly.
- Make sure pages with sensitive information are not cached on user's computers.
- Methods of access controls include access control lists (ACLs), and encryption.
- Information flow enforcement - Firewall, routers, and servers only allow specific flow of network traffic. A database server may only queries from specific IP addresses. (moderate)
- Separation of duties - Different people perform different duties to the extent that fraudulant or illegal activities cannot be done by one person. Duties that may be separated include network management, network security, application programming, account administration, server administration, application program testing, etc. (moderate)
- Least privilege - Users, administrators, and service accounts have no more than the minimum rights and privileges to perform their jobs or functions. (moderate)
- Unsuccessful login attempts management - A specified number of invalid login attempts during a specified amount of time is defined which will cause the account to lock for a specified amount of time or need to be reset by an administrator. (low)
- System use notification - A warning message is displayed during logon indication that the computer system is for official use only, activity may be monitored, and use of the system indicates consent to monitoring. (low)
- Previous logon notification - When the user logs in successfully, it tells them the last time they logged in and how many unsuccessful attempts to log in have happened since then. (none)
- Concurrent session control - The number of simultaneous sessions for the user to the system is limited to a set number. (high)
- Session Lock - The user can lock their session which will prevent someone else from using that session without providing login credentials (user ID and password) again. (moderate)
- Session termination - Sessions are terminated automatically after a set time of inactivity. (moderate)
- Supervision and review - Audit records are reviewed for any inappropriate activities. Inappropriate activities are investigated. (low)
- Permitted actions without identificationor authentication - Defined actions that can be performed without authentication are identified and documented. (low)
- Automated marketing - Standard naming conventions are used by the application to mark its output as defined by the project or organizational requirements. (moderate)
- Automated labeling - The application automatically appropriately labels information. (moderate)
- Remote access - Access to the computer system from remote locations is monitored, and controlled. The remote access is the type of access used by administrators such as terminal services. The connection method may be RAS dial-up to the network, VPN, or a connection from the internet through an external firewall. Allowed methods should be determined and their access is logged and log files are reviewed regularly. Remote access connections should in most cases be encrypted. Access may also be controlled by limiting the IP addresses where remote services can connect from. An example Remote Access Policy. (low)
- Wireless access restrictions - The organization specifies approved wireless equipment recommended for use in the organization, provides guidance in how to securely configure the equipment, and restricts wireless use so security is not compromised. Wireless use is monitored. There should be a policy for wireless use in the organization. An example Wireless Use Policy. (low)
- Access control for portable and mobile systems - Portable computer systems should be controlled with a policy. The policy should state computer security standards for mobile devices including the use of firewalls, anti-virus software on the devices, system updates, and any additional protection. This will protect them when they are not in the organizational network. The policy should also address the type of data that can be stored on the device and whether it should be encrypted. The policy should consider the possible theft of the mobile devices. See Mobile Computer Policy for an example policy and guide to writing it. (moderate)