To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for managing physical and logical access.
Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.
Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.
When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.
The password management system allows the user in a registration situation to decide how complex a password is to be set this time and to remember it on behalf of the user.
When using the password management system, e.g. the following principles:
The organization has predefined authentication methods that employees should prefer when using data systems.
When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.
Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.
For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).
Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.
The ogranisation must have defined requirements and procedure for handling of identification means over their entire lifecycle. Following have to be considered:
The Identification means should be able to be produced only under controlled conditions.
If the access related to assets with high protection needs the validity of identification means should be limited to the needed time period and the plans to block or invalidate identification means in case off loss should be implemented and prepared.
Tietojenkäsittely-ympäristöjen toimijoiden tunnistamiselta edellytetään seuraavia lisätoimia:
Tietyissä tilanteissa sähköisiä tunnistusmenelmiä voidaan korvata fyysisen turvallisuuden toimilla (esim. pääsy järjestelmään vain tiukasti rajatulta ja fyysisesti suojatulta alueelta, kuten lukittu laitekaappi, jota valvotaan vahvalla tunnistamisella). Nojattaessa fyysisen turvallisuuden menettelyihin, tulee myös fyysisen turvallisuuden menettelyjen täyttää jäljitettävyydelle asetetut vaatimukset erityisesti lokitietojen ja vastaavien tallenteiden säilytysaikojen suhteen. Tällöin varsinainen järjestelmään tunnistautuminen voi olla esim. käyttäjätunnus-salasana -pari.
Tietojärjestelmien kriittisimpiä ylläpitotehtäviä valvotaan riittävällä tarkkuudella.
Tarvittava tarkkuus valvonnassa ja tehtävien eriyttämisessä riippuu merkittävästi kyseessä olevan tietojärjestelmän käyttötapauksista. Useimmissa järjestelmissä riittävä eriyttäminen on toteutettavissa järjestelmän ylläpitoroolien ja lokien valvontaan osallistuvien roolien erottelulla toisistaan. Yleinen valvontamekanismi on myös vaatia kahden tai useamman henkilön hyväksyntä järjestelmän kriittisille ylläpitotoimille.
Käyttäjien käyttäjätunnukset lukittuvat tilanteissa, joissa tunnistus epäonnistuu liian monta kertaa peräkkäin.
Limiting access rights in accordance with the principle of least rights can reduce both intentional and unintentional actions, as well as the risks caused by, for example, malware.
Security-classified information in information systems is separated according to the principle of least rights by means of user rights and system handling rules or by other similar procedures.
Separation can be carried out:
Hallintayhteydet on rajattu turvallisuusluokittain, ellei käytössä ole turvallisuusluokka huomioon ottaen riittävän turvallista yhdyskäytäväratkaisua.
Järjestelmien ja sovellusten ylläpitotunnuksien on oltava henkilökohtaisia. Mikäli henkilökohtaisten tunnusten käyttäminen ei kaikissa järjestelmissä tai sovelluksissa ole teknisesti mahdollista, edellytetään sovitut, dokumentoidut ja käyttäjän yksilöinnin mahdollistavat hallintakäytännöt yhteiskäyttöisille tunnuksille.
Hallintayhteydet on rajattu vähimpien oikeuksien periaatteen mukaisesti.
Hallintapääsyn julkisesta verkosta tai muun käytettävän etähallintaratkaisun tulee edellyttää vahvaa, vähintään kahteen todennustekijään pohjautuvaa käyttäjätunnistusta.
Hallintayhteyksien suojaus on eräs kriittisimmistä tietojärjestelmien turvallisuuteen vaikuttavista tekijöistä. Tietojärjestelmiä, jotka eivät sisällä kriittisiä tietoja, voi kuitenkin olla perusteltua pystyä hallinnoimaan myös fyysisesti suojattujen turvallisuusalueiden ulkopuolelta. Tällöin etähallinta on tarpeen suojata etäkäyttöä kattavammilla turvatoimilla.
The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.
Identity verification must be performed according to pre-written and approved rules.
Access to the organisation's systems is granted and managed according to principle of least privilege. No further access will be granted to the user when necessary.
The permissions will be checked and the need will also be reduced if the user has the rights user needed to perform the tasks but no longer needs them.
When offering cloud services, the organisation should specify the requirements needed for use of utility programs in relation to the cloud service it provides.
Organisation should make sure that the use of utility programs that can bypass normal operating or security procedures is limited to authorized personnel. The use and usefulness of these utility programs should be reviewed regularly.
Privileged utility programs are applications that require system or administrative privilege to do their jobs. Different kinds of utilities can include system utilities (e.g. malware protection), storage utilities (e.g. backup), file management utilities (e.g. encryption) or others (e.g. patching).
If use of privileged utility programs is permitted, the organisation should identify all privileged utility programs, also ones that are used in its cloud computing environment.
Organisation should ensure utility programs don’t interfere with controls of data systems hosted in any way (on-premises or cloud).
When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the users access rights to their account.
The organisation should also provide instructions and specifications for the use of the user management (e.g. help articles, FAQs), e.g. related to available authentication methods, single sign-on capabilities and different admin actions.
When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the user registration and deregistration to the service.
The organisation should also provide instructions and specifications for the creation / deletion of users (e.g. help articles, FAQs), e.g. related to different user levels, user invitation process and different admin actions.
De-activated or expired user IDs should never be re-used for other users.
This is relevant as a general administration principle for self-developed cloud services and all other utilized data systems, where other maintenance may be provided by a partner organization, but access / user ID management by the organization itself.
The organization should maintain an up-to-date record of users who have authorized access to offered cloud services.
There should be a profile for each user that contains a set of data necessary (e.g user ID and other authentication information) to implement technical controls for providing authorized access.
The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.
The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.
To protect from e.g brute force attacks the organisation must use at least one of the following practices:
In addition the following password practices should be in place:
The organisation must change the default passwords on all of its devices (e.g. computers, network devices). The changed passwords must be hard to guess.
The organization has to limit log access to authorized personnel only. Logs must log when they have been viewed and those logs have to be kept so, that log views can be identified.
The organization must use unique usernames in order to associate users and assign responsibility for them.
Shared usernames are not allowed and users are not allowed to access information systems until a unique username is provided.
The organization must have policies and procedures in place that allow the customer to participate, if possible, in the process of approving high-risk administrator rights.
Poikkeamat roolikohtaisista oikeuksista tulee asianmukaisesti hyväksyä ja dokumentoida.
Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.
Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.
Admin rights are managed through a formal process aimed at limiting the allocation of admin rights and controlling their use.
Regarding admin rights:
The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management:
Multi-factor authentication (MFA) helps protect devices and data. To apply it, users must have more information in the identity management system than just an email address - for example, a phone number or an attached authenticator application (e.g. Microsoft, Google, or LastPass Authenticator).
Especially in the main identity management systems (e.g. Microsoft 365, Google), administrator accounts have very significant rights. These accounts are often the target of scammers and attacks because of their value. For this reason, it is useful to dedicate administrator accounts to administrative use only, and to not use these accounts for everyday use or, for example, when registering with other online services.
Multi-factor authentication (MFA) is required for administrators in the organization's key data systems.
For example, when first logging in with a password, a one-time identification code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and ownership of the phone).
Biometric identifiers (e.g. fingerprints) and other devices can also be used for multi-stage authentication. However, it is worth considering the costs and implications for privacy.
Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.
If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.
One way to manage the risks associated with shared usernames is to manage the shared password and its users directly through a password management system.
In this case, it is possible to act in such a way that, for example, only an individual person actually knows the password and the persons who use it.
The system or application login procedure should be designed to minimize the potential for unauthorized access.
The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:
The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.
Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.
The automatic communication between systems should be secured with digital certificates. Digital certificates are used to identify the connecting device before granting access to the system. Secure key policy must also be taken into account here.
The organization must use digital certificates or other similar arrangements to achieve a strong level of authentication equivalent to multi-step authentication for system identities handling maintenance rights or sensitive information.
Organisaatio on määritellyt roolit, joissa toimivat henkilöt voivat hyväksyä käyttöoikeuspyyntöjä. Organisaatio on lisäksi määritellyt, kuinka dokumentoidaan muut henkilöt, jotka voivat hyväksyä käyttöoikeuspyyntöjä.
The organization maintains a centralized record of the access rights granted to each user ID to data systems and services. This recording is used to review access rights at times of employment change or in the onboarding process of new colleagues joining the same role.
To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:
The implementation of these things must always take place through a defined, formal process.
By blocking the use of outdated authentication methods, we can make it more difficult for attackers to gain unauthorized access. For example, in a Microsoft 365 environment, Office applications in the 2013 model support outdated authentication methods by default (for example, Microsoft Online Sign-in Assistant), but you can prevent this by creating a policy that prevents these outdated authentication methods.
Credentials should be securely transmitted to users. delivery of a password or through unprotected external party (plaintext) e-mail message should be avoided.
The granting of access rights in the organisation related to high confidentiality access can only be approved by the internal owner of the related high confidentiality information.