4. All users with access to your data are individually known and referenced. Users are only ever granted the level of access required to perform their job. Access and privileges are removed as soon as they are no longer required.
In order to control and audit access to data you need to identify and authenticate every user. When people move jobs it’s easy to overlook the need to remove permissions they no longer need.
Over time this can undermine carefully planned ‘separation of duties’ controls as users may find they retain sufficient privileges to act as both parties in a scenario which should require two individuals to collaborate.
|
Any of the following statements are true |
All of the following statements are true |
All of the following statements are true |
|---|---|---|
|
Users are not individually identified and authenticated User access to data is not limited to the minimum necessary Permissions granted to users are not reviewed when they move jobs or leave your organisation |
Users are individually identified and authenticated User access to data is limited to the minimum necessary The list of users with access to the data set has not been reviewed for over 12 months |
Users are individually identified and authenticated User access to data is limited to the minimum necessary Your joiners, leavers and movers process ensures that user permissions are reviewed when people change jobs and periodically The list of users with access to the data set has been reviewed within the last 12 months |
5. All users with administrative access to your service are known. Strong authentication and access control is in place for them.
Depending on the service management and hosting models for your service, a large number of people could be in a position to access your bulk data stores, whilst avoiding some of the controls which are in place for normal users.
Privileged access may entail logical access to the service, for example through the configuration of operating systems and deployed software packages. But, it could also mean physical access to infrastructure.
Individuals with this degree of access need to be uniquely identified and authenticated with a high degree of confidence.
|
Any of the following statements are true |
N/A |
All of the following statements are true |
|---|---|---|
|
You do not know the names of all individuals with privileged access to administer your system (infrastructure, platforms, software, configuration etc.) The list of system administrators with access has not been reviewed within the last 12 months. It is not known whether all system administrators are strongly authenticated when accessing the system. |
Regardless of who they work for, you know the names of all individuals with privileged access to your system (infrastructure, platforms, software, configuration etc.) Their privileges are reviewed regularly as part of a joiners, movers and leavers process and periodically. The list of system administrators with access has been reviewed within the last 12 months. All system administrators are strongly authenticated when accessing the system. |
6. All external dependencies (e.g. third-party contractors) which the security of your service and data relies upon are known. Suppliers are vetted against defined security requirements, supported by contractual arrangements.
Suppliers who operate a service, or part of a service, are often targeted by attackers because of their access privileges. You should understand the implications of your suppliers’ access being compromised and manage this effectively through your contract with them.
It is important that you explain your security requirements to your suppliers in a meaningful way, as well as ensuring that their contractual obligations reflect your requirements.
|
Any of the following statements are true |
All of the following statements are true |
All of the following statements are true |
|---|---|---|
|
You do not understand which of your suppliers would have the ability to compromise your data. Suppliers who could potentially affect the security of your data are not contractually obliged to uphold the security of your service. Your suppliers were never assessed against any security requirements when they were selected, and have not been assessed since. |
You understand which of your suppliers would have the ability to compromise your data. These suppliers were assessed against defined security requirements (such as the measures in this guide) when they were selected, but no audit has been performed of their adherence to your requirements in the last 12 months. |
You understand which of your suppliers would have the ability to compromise your data. These suppliers were assessed against defined security requirements (such as the measures in this guide) when they were selected. You have audited your suppliers’ adherence to your security requirements within the last 12 months. |
7. You have an audit trail of access to data, supplemented by an active audit plan.
An accurate record of which individuals accessed which data records at a given time should be captured to support an effective audit function.
It should not be possible for anyone to modify the audit record in a bid to hide the fact that they have accessed certain records. Automated alerts should be raised in response to sensitive events, such as bulk export of data or suspicious queries (such as a user accessing a record where there is no related case working ticket).
|
Any of the following statements are true |
All of the following statements are true |
All of the following statements are true |
|---|---|---|
|
You do not have a log of which users accessed which data records. The integrity of the audit logs is not protected. No audit is performed of the logs except in event of an incident reported through other means. |
You have a log of which users accessed which data records. The integrity of the log is protected. Modification by users is prevented. Logs are reviewed on a regular (eg weekly) basis but no automation is in place to assist analysts. Security events are responded to through a well-known and tested process. |
You have a log of which users accessed which data records. The integrity of the log is protected. Modification by users is prevented. Security critical events are automatically analysed and alerts generated. Security events are responded to through a well-known and tested process. |
Source: NCSC
