Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

ISMF Guideline 25 - User Access Management

advertisement 
ISMF Guideline 5
OCIO/G4.25
Government guideline on cyber security
ISMF Guideline 25
User Access Management
BACKGROUND
Government agencies depend on information to provide services to citizens, businesses and the
community. This information is accessed by many internal and external users through applications,
networks and online. To meet expectations in terms of service delivery while maintaining
information security, agencies are expected to undertake sound management of any information
access provisions.
Access management is the mechanism by which all access to information and related assets can
be controlled. This guideline aims to assists in identifying and developing suitable practices,
controls and other mechanisms that provide authorised users with appropriate access rights to
required information, while preventing access to non-authorized users.
This guideline supports implementation of ISMF Policy Statement 25.
GUIDANCE
Agencies are responsible for developing and implementing procedures and practices to maintain
adequate controls over access to information. These procedures and practices need to reflect the
value and sensitivity of the information, system or service to be accessed, as determined by the
organisation. Information access management policies and procedures implemented in an agency
are the direct outcome of the findings of a business impact assessment against identified risks.
This guideline has been developed to assist with appropriate considerations for user access
control measures with regards to information and related systems and services, and the roles and
responsibilities within South Australian Government agencies.
PRE-REQUISITE DOCUMENTS
The ISMF should be read in conjunction with this guideline. Implementing the guidance in this
document may assist in meeting various requirements contained in the ISMF Policy Statement 25
(User access management). The predominant ISMF standards relating to access management are
the ISMF Standards 77, 78, 79 and 80.
ISMF Guideline 25
TERMS
The terms below are defined terms contained in the ISMF, they are provided here for convenience:

Business Owner – the person or group that is ultimately responsible for an information asset.
This person or group is distinct from an information custodian, who may take responsibility for
the ongoing management of the information (such as a CIO or system administrator). Individual
business units own business critical information, rather than information technology or
information security departments (they are custodians, not owners). The manager of the
business unit responsible for the creation of any information and / or the business unit directly
impacted by the loss of the information is usually the Business Owner. (e.g. the party most
impacted by the loss of confidentiality, integrity or availability of Information is typically the
Business Owner). The term Business Owner is synonymous with the expression Risk Owner
used by the ISO 27001 standard.

Responsible Parties – Agencies and Suppliers who are subject to contractual conditions that
require them to comply with the ISMF. Where any ambiguity arises between these entities in
relation to adherence to the ISMF, the Agency Controls implemented in the Customer
Agreement shall prevail (i.e. The Agency remains the default party and the Customer
Agreement is used as the vehicle for setting the scope and requirements for the Supplier to
comply with either the entirety of the ISMF or part(s) thereof. The Customer Agreement may
also introduce additional Agency-specific controls and policies that the Supplier must comply
with).

Official Information - Any information developed, received or collected by, or on behalf of, the
Government, through its agencies and contracted providers.

Information Asset – Anything that processes, stores or communicates information of value to
the Agency or organisation. Information assets in the South Australian Government are
commonly referenced as holistic systems, for example: TRUMPS, LOTS, EMS, Masterpiece
etc. This definition is distinct from the definition used by the ISO 27000 series standards as the
ISMF relates specifically to cyber security.
Government guideline on cyber security
User access management 1.0
Page 2 of 8
ISMF Guideline 25
USER AND ACCESS REGISTRATION
User registration and provisioning refers to the formal assignment, documentation and removal of
user access to information and associated systems and services. It facilitates establishing, tracking
and verifying that the right individuals have access commensurate with their roles and
responsibilities.
This section facilitates the development of appropriate measures to assign, approve and document
who can use, change, view or otherwise access information and associated systems and services,
and determining the circumstances in which such access is permissible.
Table 1 - User and Access Registration guidance
Applicability
Guidance
References
Responsible Parties should require all users to proceed
through a formal registration process in order to gain access to
information and systems. This process should incorporate:
ISMF Standard 77

the authorisation of access by the relevant Business
Owners or their delegates via formalised and
documented procedures

the formal acknowledgement by users that they
understand and accept the associated access
conditions.
Responsible Parties should maintain and regularly review a
register of all users and access authorisations to agency
information assets, including any suppliers, temporary, contract
or other third-party personnel.
ISMF Standard 77
Responsible Parties should periodically assure the
implementation effectiveness and personnel awareness of
policies and procedures covering the user access lifecycle
from provisioning to deactivation.
ISMF Standard 77
Shared non user-specific accounts should not be allowed. In
situations where they are necessary for business or
operational reasons, Responsible Parties should consider
implementing adequate measures for attributing account
activities and actions to specific personnel.
ISMF Standard 77
Business Owners should consider including formal sanctions,
such as temporary or permanent access suspension, or
provisions for legal actions into personnel or service contracts
for unauthorised activities including attempts.
ISMF Standard 77
All classifications
Government guideline on cyber security
User access management 1.0
Page 3 of 8
ISMF Guideline 25
PRIVILEGED ACCESS
Privileged access is any access where users are granted elevated or increased application or
operating system capabilities. Certain privileges may permit a user to alter or bypass established
security controls. Privileged access is needed in specific circumstances to enable the efficient
operation of information systems and services. It provides high levels of access to systems and
data such as providing the ability to read, update or distribute highly sensitive information, or
making changes to critical systems. This would include, but is not limited to, administrative actions
to configure systems, or privileges to change other user’s access rights.
The following section provides guidance on important considerations for designing and
implementing privileged access control frameworks to manage privileged access.
Table 2 – Privileged Access guidance
Applicability
Guidance
References
Responsible Parties should strictly control, monitor and audit
the allocation and use of privileged access for positions of
trust, such as roles with significant financial authority, access
to sensitive information, or administrative privileges. The
creation, assignment and removal of any privileged user
access should consider authorisation of both the relevant
Business Owner and agency IT Security Adviser.
ISMF Standard 78
Business Owners should consider allowing the use of
privileged accounts for authorised duties only. Such accounts
should be isolated from access to non-administrative or
potentially high-risk user activities, such as general Internet or
email access, exchanging resources, links and files via
untrusted messaging, or general unsecured file sharing.
ISMF Standard 78
Responsible Parties should minimize the provision and use of
shareable accounts with elevated privileges. If required for
exceptional circumstances or emergency purposes, such as
emergency fix, business continuity or disaster recovery
actions, the account activities should be subject to additional
privileged access management controls that are invoked upon
their use. Examples include case-by-case usage authorisation,
real-time monitoring and segregated and secured auditing
logging.
ISMF Standard 78
Responsible Parties should maintain and regularly review a
register of all privileged users and access authorisations to
agency information assets, including any suppliers, temporary,
contract or other third-party personnel.
ISMF Standard 78
Responsible Parties should incorporate the core principles of
‘least privilege’ and ‘need to know’ into any privileged access
provisions that relate to information and systems with elevated
confidentiality, integrity or availability levels.
ISMF Standard 78
All classifications
[SLC] Sensitive:
Legal or
Commercial
[I3] Integrity 3
[A3] Availability 3
Government guideline on cyber security
User access management 1.0
Page 4 of 8
ISMF Guideline 25
ACCESS PASSWORD MANAGEMENT
The use of passwords is one of the most common methods for user authentication. Clearly
specifying and implementing sound password management policies and procedures is a critical
access control for establishing and maintaining a first line of defence.
The following section aims to provide a set of guidelines and practices for adequate password
control, handling and management.
Table 3 - Access Password Management guidance
Applicability
All classifications
Guidance
References
Business Owners should formally document policies for
account and device password selection and management, and
require users to formally acknowledge such policies (e.g. as
part of their employment terms and conditions).
ISMF Standard 79
Responsible Parties should establish a policy to not use the
same credentials for business and non-business access
authorizations.
ISMF Standard 79
Responsible Parties should implement appropriate procedures
and controls to ensure that default or initial passwords for
endpoint devices or user accounts are changed prior to or
upon first use.
ISMF Standard 79
Responsible Parties should consider the use of multi factor
authentication to achieve strong identification and
authentication mechanisms in addition to passwords.
ISMF Standard 79
ISMF Standard 81
Considerations may include the use of:
Sensitive or above

Extended passphrases

Identity passports, physical tokens or smartcards

Biometric identifiers such as fingerprint, voice or face
geometry recognition
Government guideline on cyber security
User access management 1.0
Page 5 of 8
ISMF Guideline 25
ACCESS PRIVILEGE REVIEWS
The objective of reviewing user-accounts and their access privileges is to verify that correct access
rights are assigned in line with the organisation’s access control policies and procedures, business
objectives and security principles. An access privilege review can identify areas in which assigned
access rights are not aligned with user roles, and lead to subsequent revocation of incorrect
privileges. It also facilitates detecting anomalous or unauthorised access to information or
resources to initiate the realignment of authorised access rights.
This section provides guidance on important considerations for undertaking access privilege
reviews.
Table 4 - Access Privilege Review guidance
Applicability
All classifications
Guidance
References
Responsible Parties should specify and implement procedures
that require reviews of user and account access privileges at
regular intervals (e.g. every 6 months), or upon significant
changes to the user’s role or circumstances (e.g. change of
position, change of work assignments, or cessation of
employment).
ISMF Standard 80
Responsible Parties should take into account conflict of
interest considerations for the review of access rights and
privileges, and may consider commissioning reviews through
independent parties, such as third-party assurance providers.
ISMF Standard 80
(Further information for carrying out reviews, including the
commissioning of independent reviews, is available in ISMF
Guideline 39 – Regular, periodic and independent reviews.)
Sensitive
[I3] Integrity 3
[A3] Availability 3
Responsible Parties should review privileged access accounts
quarterly. The reviews should include accounts with access to
sensitive information, security-relevant system and service
configuration privileges, or authorisations for business
continuity and disaster recovery duties.
ISMF Standard 80
Responsible Parties should consider implementing automated
logging, filtering and correlation of privileged access and
actions to support the detection of unauthorized access to
sensitive information and critical systems in context of general
system event monitoring and review activities.
ISMF Standard 80
(Further information for carrying security-relevant event
logging, including the access to information and associated
assets, is available in ISMF Guideline 23 – Logging and
monitoring.)
Government guideline on cyber security
User access management 1.0
Page 6 of 8
ISMF Guideline 25
ADDITIONAL CONSIDERATIONS

Personnel accessing official information and other information assets away from the office
environment must treat their access with at least the same level of care and discretion as if
working in their usual working environment. Particular care should be taken when accessing
information from public locations (see ISMF Standard 68).

The management of information access should be supported by the development and
maintenance of procedures and practices that are tied to business performance. These should
consider factors such as: risk, cost, control, ICT governance, compliance and business
performance objectives as established by the business.

Information access management may also identify any 'silos' of information. Access to
information may be unintentionally restricted to a role subset within the organisation, yet the
same information has wider uses within an agency, or could be applied to the benefit of the
broader organisation, partners and the community. This can support the SA Government’s
principle of open government data using responsible information sharing standards.

Further information on this topic is available from The Trusted Information Sharing Network for
Critical Infrastructure Resilience (TISN) and the US National Institute of Standards and
Technology (NIST)
This guideline does not aim to provide the reader with all of the responsibilities and obligations
associated with user access to information and associated systems and services. It is merely an
overview of the information provided in applicable government cyber security policy, applicable
governance frameworks and the resources and utilities available at the time of publication. It is
highly recommended that agencies review these documents in their entirety. The individual
requirements of agencies will have direct bearing on what measures are implemented to mitigate
identified risk(s).
Government guideline on cyber security
User access management 1.0
Page 7 of 8
ISMF Guideline 25
REFERENCES, LINKS & ADDITIONAL INFORMATION

OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]

PC030 Government of South Australia Protective Security Management Framework [PSMF]

Assessment of Access Control Systems, National Institute of Standards and Technology (NIST)

Defence in Depth: User Access Management, The Trusted Information Sharing Network for Critical
Infrastructure Resilience (TISN).
ID
OCIO_G 4.25
Classification/DLM
PUBLIC-I1-A1
Issued
April 2014
Authority
State Chief Information Security Officer
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\v3.2\ISMFguidelines\ISMFguideline25(user_access).docx
Records management
File Folder: 2011/15123/01 - Document number: 8360284
Managed & maintained by
Office of the Chief Information Officer
Author(s)
Christian Bertram CEA, MSIT, Enterprise Architect
Reviewer(s)
Tony Stevens, Senior Analyst
Jason Caley CISM, MACS (CP), IP3P, CRISC, CEA, Principal Policy Adviser
Compliance
Discretionary
Next review date
June 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 25.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2014.
Disclaimer
Related documents
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 21 – Media handling
ISMF Guideline 21 – Media handling
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 8a
ISMF Guideline 8a
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Guideline 38 – Legal, regulatory and contractual compliance
ISMF Guideline 38 – Legal, regulatory and contractual compliance
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 8b – New classification scheme for confidentiality of
ISMF Guideline 8b – New classification scheme for confidentiality of
ISMF Guideline 5 – Cloud computing
ISMF Guideline 5 – Cloud computing
ISMF Standard 141 - Endpoint protection
ISMF Standard 141 - Endpoint protection
ISMF Guideline 37a - Department of the Premier and Cabinet
ISMF Guideline 37a - Department of the Premier and Cabinet
Download
advertisement