Context: Data Access
Goals: A system must have the ability to control and monitor access and modification to a system and the data managed by the system. The ability to access and modify the data must be limited to authorized individuals. The authorization must be dependent on current work assignment, job function or other business requirement.
Rationale: Limiting an individual’s access to only the systems and data they need to complete work assignments or job duties mitigates inappropriate access or modification of protected or confidential data.
Requirement: Access to data must be granted to individuals by the data owner or person authorized to grant access. Access must be revoked when it is no longer required for the individual’s work assignment or job duties. Logging of access must be implemented to Metric. Security controls must be implemented to Metric.
Metric:
Level A:
A1. Multi-factor authentication is required for each individual accessing or modifying the system configuration or system managed Highly Restricted or Restricted data.
A2. Individual access to the system and data is reviewed every 6 months.
A3. Default deny logical controls exist between all security perimeters.
Level B:
B1. The system will maintain a non-refutable log of all access and modifications to Highly Restricted IT system configuration and system managed data sufficiently to determine the individual, IP address, date/time.
B2. Multi-factor authentication is required for each individual accessing or modifying the system configuration.
B3. Tools and processes exist that detect, log and alert on unauthorized access to the system and to data managed by the system.
B4. When work assignments change, access is updated to reflect new work assignment.
B5. Access to data is based on assigned roles.
B6. Documented business or functional requirements identify the privileges required to perform all business functions that access or modify Highly Restricted or Restricted data.
B7. System accounts will conform to meet requirements defined in International Standards Organization (ISO) 27002, sections 9.4.2 and 9.4.3
Level C:
C1. IT system administrator and user access is logged
C2. Individual access to the system and data is reviewed annually
C3. Unique credentials are required for each individual accessing the data
C4. A documented relationship exists between data owner and data custodian
C5. Logical controls exist that enforce a default deny policy from lower to higher security perimeters
Level D:
D1. A process for granting and revoking logical and physical access is implemented.
D2. Credentials used to access the IT system or data meet controls and guidance defined in International Standards Organization (ISO) 27002, sections 9.4.2 and 9.4.3
D3. Logical and physical security perimeters are identified and documented
D4. The IT systems storing or managing the data will have network segmentation controls implemented to meet controls and guidance defined in ISO 27002, section 13.1.3
Scale: <existing internal standard>
Stakeholders: Data owners, System Managers, Operations
Implications: If this requirement is not met, the appropriate security controls may not be implemented to protect the data from unauthorized access or improper data exposure
Applicability: See Enterprise Requirements Framework
Tags: Security, Data Access
Status: Approved, Requirement
Author: <Author>
Revision: <Revision>
Includes traditional concepts such as account provisioning and management, account credentials, authorization, least privileged based data access, business activity logging and audit logging, security perimeters and perimeter controls.
The intent of this requirement is to limit access to data based on need-to-know to perform job duties and to alert on inappropriate access, and/or have an audit trail of access or activities (i.e. read, write, modify, delete) that can be traced to an individual.
