The Access Control family is about controlling access to applications and information. This article lists the 25 access controls per baseline. And lists activities involved per control.
Below are the controls required by the low baseline.
This policy should address purpose, scope, roles and responsibilities. To ensure compliance with laws and regulations and the needs of the organization.
Organizations should define and document the types of accounts allowed and prohibited for use within the system, assign account managers, and specify authorized users, group and role membership.
Enforce approved authorizations for Access Control to information and system resources in accordance with applicable policies to ensure secure and private access between active entities and passive objects.
Enforce Access Control by limiting consecutive invalid logon attemptswithin an organization-defined time period.
Select one or more of the following actions when the maximum number of unsuccessful attempts is exceeded:
Required in baseline: low, moderate and high
Notifications inform users that their usage may be monitored, recorded, and subject to audit, and that unauthorized use is prohibited and subject to criminal and civil penalties.
Organizations can use Access Control to identify and document user actions that can be performed on their systems without identification or authentication.
Organizations may ensure secure remote access to their systems by establishing and documenting usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.
Establish and authorize secure wireless access to the system with Access Control protocols such as microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth to ensure authenticator protection and mutual authentication.
Organizations may establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, including when they are outside of controlled areas.
Establish terms and conditions and identify controls for the use of external systems, such as personally owned systems, systems owned by other components, and systems owned by nonfederal organizations.
Below are the controls required by the moderate baseline. Within the moderate baseline you still need to comply to the controls of the low baseline.
Enforce approved authorizations for controlling the flow of information within and between systems, based on organization-defined policies. Access Control measures, such as rule sets, packet-filtering, and message-filtering, are employed to restrict system services and ensure information is transferred securely and in accordance with policy. Organizations also consider the trustworthiness of filtering and inspection mechanisms to enforce information flow.
To reduce the risk of malevolent activity, organizations may implement Access Control measures such as Separation of Duties. This involves identifying and documenting duties of individuals requiring separation. Use access control mechanisms to enforce Separation of Duties across systems and application domains.
Enforce the principle of least privilege, granting only authorized users and processes access to systems and operations necessary to accomplish assigned tasks.
Users may initiate Access Control by initiating a device lock after a specified period of inactivity or before leaving the system unattended.
Device locks can be implemented at the operating system level or at the application level, and may be initiated through a Bluetooth-enabled device or dongle. However, device locks are not a substitute for logging out of systems.
Automatically terminate user sessions after organization-defined conditions or trigger events, such as periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.
Ensure authorized users can quickly and accurately assess Access Control restrictions for organization-defined information sharing circumstances where user discretion is required. Employ automated mechanisms or manual processes to help users make informed decisions about sharing and collaboration.
Below are the controls required by the high baseline. Within the moderate baseline you still need to comply to the controls of the low and moderate baselines.
Ensure Access Control by limiting the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number. This can be done globally, by account type, by account, or any combination thereof, to protect sensitive domains or mission-critical applications.
Below are the controls that are optional. You can use these controls as inspiration if you need to control specific situtations and risks.
Notify users of their last successful logon date and time with Previous Logon Notification, an Access Control feature applicable to system access via human user interfaces and other architectures. This information helps users recognize any discrepancies between the provided date and time and their last access.
Ensure that Access Control activities are regularly supervised and reviewed to ensure their effectiveness and compliance with organizational security policies and procedures.
Automated Marking is a system to automatically mark users on their respective features and behavior. This allows you to provide more granual access controls.
Organizations can use Access Control to associate security and privacy attributes with information in storage, in process, and/or in transmission. These attributes can be used to enforce security and privacy policies, such as data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects.
Labeling and marking techniques are used to associate attributes with subjects and objects, enabling system-based and manual enforcement of policies.
Ensure that only authorized individuals have access to nonpublic information by training them to make sure that publicly accessible content does not contain any nonpublic information. Review proposed content prior to posting and regularly review existing content for nonpublic information, removing it if discovered. Comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines to protect PRIVACT and proprietary information. Access Control is key to ensuring that only authorized individuals have access to nonpublic information.
Access Control techniques are used to protect against unauthorized data mining. By a different set of techniques you can prevent the internet from mining your public data.
Organizations may establish procedures and implement mechanisms to ensure their organization-defined access control decisions are applied to each access request prior to access enforcement. This will ensure that only authorized accesses are allowed.
The Reference Monitor enforces an Access Control policy over all subjects and objects, ensuring that access is restricted based on the identity of the subject or group they belong to. It is tamper-proof, always invoked, and small enough to be subject to analysis and testing, guaranteeing the completeness of the policy's enforcement.
Ensure that Access Control activities are regularly supervised and reviewed to ensure their effectiveness and compliance with organizational security policies and procedures.
public