RSASecurity Best Practices Framework › wp-content › uploads › ... · Develop, document, and enforce an information security policy that provides management direction, support,

ADDRESSING SARBANES-OXLEY COMPLIANCEWITH IDENTITY & ACCESS MANAGEMENT

As the number of regulations mandating the protection of informationcontinues to grow, companies and government agencies must figure out howto streamline their compliance efforts. Contrary to a tactical approach, whichtries to meet the requirements of each regulation separately, a strategicapproach looks at compliance holistically, and combines efforts across all of thevarious regulations - SOX, PCI, HIPAA, GLB, SB 1386, etc. By developing andimplementing a comprehensive set of best practices that will meet therequirements of multiple regulations, the information security organizationcan deliver tremendous operational efficiencies to the business. The benefits ofa strategic approach go way beyond compliance. With the right informationsecurity controls in place, companies and government agencies can make themost of their Internet investments and do even more online.

RSA Security® Best Practices FrameworkBuilding a strategic approach to compliance

WHITE PA P E R

THE IMPORTANCE OF BEST PRACTICES

Instead of being prescriptive, most regulations providehigh-level requirements and expect organizations toimplement “reasonable and appropriate measures” toprotect information - in other words, informationsecurity best practices. To establish a set of bestpractices, organizations are advised by legislators,regulators and industry to use control frameworksand/or standards as guidance. The most cited standardsinclude the International Standards Organization Codeof Best Practices in Information Security (ISO 17799), theNational Institute of Science and Technology SpecialPublications Series 800 (NIST 800), the Federal FinancialInstitutions Examination Council IT Handbook onInformation Security (FFIEC) and the Control Objectivesfor Information Technology (COBIT).

COMMON THREADS ACROSS REGULAT I O N S

A strategic approach to compliance involves looking forcommon threads across regulatory requirements. Mostregulations that mandate the protection of information,whether they are governance, privacy, or criticalinfrastructure regulations, all share common fundamentalrequirements to verify identities, allow only authorized

1

RSA SECURITY BEST PRACTICES FRAMEWORK

RSA Security Inc.

access to information, and provide reliable audit reports.These common elements include risk management,authentication, access control, data protection and loggingand reporting - the essence of identity and accessmanagement (I&AM). From an information securityperspective, many organizations are focusing on I&AM inorder to meet these central requirements of the regulations.

L AYERS OF PROTECTION IN IDENTITY AND ACCESS MANAGEMENT ( I&AM)

To help organizations take a strategic approach tocompliance, RSA Security has developed the RSA SecurityBest Practices Framework. It was designed specifically withregulatory compliance in mind and was derived byextracting the key I&AM-related controls from ISO 17799,NIST 800-53, FFIEC, and COBIT. The controls were thenbrought up to date with insights from the SANS Institute,industry analysts, and RSA Security's experience workingwith over 20,000 customers worldwide. This exclusive set ofsome 60 best practices is organized in a framework called“Layers of Protection in Identity and Access Management(I&AM)” that consists of five main categories, as illustratedin Table 1.

BEST PRACTICES CAT E G O RY SUBCAT E G O RY

L AYERS OF PROTECTION IN IDENTITY AND ACCESS MANAGEMENT (I&AM)

RISK MANAGEMENT

A U T H E N T I C AT I O N

ACCESS CONTROL

D ATA PROTECTION

LOGGING AND REPORT I N G

P o l i c y

P r o c e s s

Pol icy & P r o c e s s

Authentication Methods

Log-on Procedures

Pol icy & Process

User & Account Management

Rights Management & Enforcement

Pol icy & Process

Encrypt ion & Data Integr ity

Appl ication Development

Pol icy & Process

Data Col lect ion & Review

TABLE 1: The RSA Security Best Practices Framework, “Layers of Protection in I&AM,” is organized into five main categories.

2


RSA Security Inc.

S U M M A RY OF THE FRAMEWORK

I. Risk Management: Best practices for developing aformalized process to identify measure, manage, andcontrol the risks to information. These best practicesinclude assessing risk, setting policy, developing a plan, andimplementing and evaluating controls.

II. Authentication: Best practices pertaining to verifying theidentity of an entity (person, device or application) basedon the presentation of unique credentials to the system.Examples of authentication methods are passwords, tokens,and certificates. Authentication that relies on more than oneform of credential to identify a user is called multi-factorauthentication and is generally stronger than any single-factor authentication method. These best practices also covercontrols used to ensure secure log-on to applications or systems.

III. Access Control: Best practices related to managing usersand their access rights and allowing only authorized users toaccess resources. These best practices also cover developingand enforcing policy regarding what users can access andwhich specific actions are allowed based on business rules.

IV. Data Protection: Best practices that involve the use ofcryptographic mechanisms to control access to data andprotect data confidentiality and integrity. These bestpractices also cover technical measures for non-repudiation(so users cannot disavow their actions) and for detectingaccess and modifications to data.

V. Logging and Reporting: Best practices concerning thecollection and presentation of logs from variousapplications and systems, which are used to monitor useractivity, administrator actions, and security events andprovide evidence of conformance to policy.

USING THE FRAMEWORK

Organizations can use the RSA Security Best PracticesFramework as a starting point to establish their own set ofinformation security best practices. As with any controlframework or standard, it is intended to be tailored to anindividual organization and their particular environment,objectives, and industry. In some cases, an organization willhave already established their own set of best practices andmay find that the RSA Security framework easily maps totheir own framework. In this case, it can be used toaugment or validate their best practices. Whatever stage anorganization is at, most will find the RSA Best PracticesFramework to be a valuable reference set of controls andan excellent “checklist” that can help to identify keycompetency gaps.

R E G U L AT O RY LANDSCAPE

This best practices framework was designed to helpcomply with regulations that mandate the protectionof information such as:

US - SARBANES-OXLEY ACT (SOX)

UK - TURNBULL GUIDANCE

NORTH AMERICA - NORTH AMERICAN ELECTRICRELIABILITY COUNCIL CYBER SECURITY STANDARDS(NERC)

US - FEDERAL INFORMATION SECURITYMANAGEMENT ACT (FISMA)

US - TITLE 21 OF THE CODE FEDERAL REGULATIONSPART 11 (21 CFR PART 11)

EU - GOOD MANUFACTURING PRACTICES ANNEX 11(ANNEX 11)

US - GRAMM-LEACH-BLILEY (GLB)

US - HEALTH INSURANCE PORTABILITY ANDACCOUNTABILITY ACT (HIPAA)

EU - DATA PROTECTION DIRECTIVE (DPD)

JAPAN - PERSONAL INFORMATION PROTECTION ACT(PIPA)

CALIFORNIA - ASSEMBLY BILL 1950 (AB 1950)

AUSTRALIA - FEDERAL PRIVACY ACT (FPA)

CANADA - PERSONAL INFORMATION PROTECTIONAND ELECTRONIC DOCUMENTS ACT (PIPEDA)

CALIFORNIA - INFORMATION PRACTICE ACT ORSENATE BILL 1386 (SB 1386) AND OTHER STATENOTIFICATION LAWS

GLOBAL - PAYMENT CARD INDUSTRY DATA SECURITYSTANDARD (PCI)

3RSA Security Inc.

R S A SECURITY BEST PRACTICES FRAMEWORK

BEST P R A C T I C E BEST PRACTICE DESCRIPTIONB P #

R S A SECURITY BEST PRACTICES FRAMEWORK: LAYERS OF PROTECTION IN I&AM

RISK MANAGEMENT

P o l i c y R M1

Develop aC o m p r e h e n s i v eI n f o r m a t i o nSecurity Policy

R M2

Classify Databy Sensitivityand Criticality

Develop, document, and enforce an informationsecurity policy that provides managementdirection, support, and objectives for theinformation security program. The policy shouldcover the organization's commitment andapproach to information security, the scope,goals, principles, and requirements, the rolesand responsibilities, and the consequences ofviolations such as sanctions. Supporting policiesinclude: data classification, authentication policy(including password policy), access control policy(including access rights based on least privilege),acceptable use policy (AUP), data protectionpolicy, logging and reporting policy, andbusiness continuity. Information security policiesshould be approved by management, regularlyreviewed and updated, and clearlycommunicated to all employees.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT

• Industry A n a l y s t s

• RSA Pro S e r v i c e s

• NERC

• FISMA

• 21 CFR Part 11

• GLB

• HIPA A

• PCI

Classify data according to sensitivity andcriticality in order to ensure information assetsreceive an appropriate level of protection. Someinformation types may be strictly confidentialand/or essential to the operations of thebusiness and therefore require higher levels ofprotection. Examples include employee orcustomer non-public personal information suchas financial (credit card and bank accountnumbers) and healthcare data, as well asproprietary information such as financialstatements or intellectual property.Classifications should be established based onthe potential impact of a loss of confidentiality,integrity, or availability for that informationtype, and on business needs for sharing orrestricting information. Defining theclassification for an item of information andperiodically reviewing that classification shouldbe the responsibility of the originator ordesignated owner. In accordance with theclassification scheme, an appropriate set ofprocedures for information labeling andhandling should be developed. As well, dataclassification should be referenced in otherpolicies (such as authentication, access controland data protection policies) and appliedconsistently across different systems andapplications.

• ISO 17799

• NIST 800-53

• COBIT

• SANS


• NERC

• FISMA

REGULATIONS WITH SPECIFIC REQUIRE-

MENTS IN THIS AREA*S U B -

C AT E G O RY

* In general, regulations do not mention specific requirements but rather expect organizations to implement best practices. In some cases, regulations will get specific about certain aspects.

S O U R C E S

4


RSA Security Inc.



RISK MANAGEMENT - c o n t i n u e d

P r o c e s s R M3

Implement aStructured R i s kM a n a g e m e n tP r o g r a m

R M4

ImplementIntegrated RiskAssessment

Implement a structured information security riskmanagement program that is a formalizedprocess designed to identify, measure, manage,and control the risks to information availability,integrity, and confidentiality, and to ensureaccountability for actions. The program shoulduse a multidisciplinary approach based on asufficient level of expertise and up-to-datepractices, should be integrated into an overallenterprise risk management program, andshould be thoroughly documented. The elementsof the program include a risk assessment, dataclassification, a security policy and plan, theimplementation and testing of controls, ongoingmonitoring and evaluation, and regular reviewby senior management. Specific and carefulconsideration should be given to managing therisks involved in information being accessed,processed, communicated to, or managed byexternal parties. Agreements for the securehandling of information by external parties suchas service providers and other partners should beestablished.

• ISO 17799

• NIST 800-53

• COBIT

• SANS



• SOX

• NERC

• FISMA

• 21 CFR Part 11

• GLB

• HIPA A

• PCI

Implement and document a risk assessmentprogram that systematically estimates themagnitude of risks (risk analysis) and thencompares the estimated risks against risk criteriaand management objectives to determine thesignificance of the risks (risk evaluation). Riskassessment should be integrated into the overallrisk management program, providing feedbackand guiding decision making and priorities.Analysis includes taking an inventory of allinformation assets, ascertaining threats,vulnerabilities, and potential attacks, anddetermining the probabilities of occurrence andpossible outcomes. Evaluation is based on theorganization's criteria for determiningacceptable levels of risk. A risk may be accepted,for example, if it is too low to significantly affectday-to-day business operations, or if the cost ofcontrols outweighs potential losses. Riskassessment should be performed periodicallyand as external and internal environmentschange.

• ISO 17799

• NIST 800-53

• F F I E C

• COBIT

• SANS



• NERC

• FISMA

• GLB

• HIPA A

• PCI



C AT E G O RY


S O U R C E S

5


RSA Security Inc.



RISK MANAGEMENT - c o n t i n u e d

Process -c o n t i n u e d

R M5

Develop aDetailedInformationSecurity Plan

R M6

ImplementAppropriateInformationSecurityControls

Develop, document, and implement a detailed planfor the information security program that delineatesthe steps involved in assessing risk, developingpolicy and procedures, evaluating and deployingt e c h n o l o g y, and training users. The plan shouldput in place layered controls in identity and accessmanagement that establish multiple control pointsbetween threats and the organization's assets.

• ISO 17799

• NIST 800-53

• F F I E C

• COBIT


• NERC

• FISMA

• GLB

• HIPA A

• PCI

Implement information security controlsappropriate to risk level, including: the acquisition,implementation, and operation of technology,the assignment of duties and responsibilities tomanagers, employees, and other users, andassurance that management and staffunderstand their responsibilities and have theknowledge, skills, and motivation necessary.

• ISO 17799

• NIST 800-53

• F F I E C

• COBIT


• NERC• FISMA• 21 CFR Part 11• Annex 11• GLB• HIPA A• PCI



C AT E G O RY


S O U R C E S

R M7

Test & VerifyInformationSecurityControls

Test information security controls usingformalized, repeatable testing methodologies toassure risk is appropriately assessed andmitigated, and verify that controls are effectiveand performing as intended.

• ISO 17799

• NIST 800-53

• F F I E C

• COBIT


• NERC• FISMA• 21 CFR Part 11• GLB• HIPA A• PCI

R M8

Monitor &EvaluateControls on anOngoing Basis

Perform ongoing monitoring and evaluation of theorganization's controls and that of the external partiesthat access, process, exchange, or manage theorganization's information system. This should includecontinuously gathering and analyzing informationregarding new threats and vulnerabilities, actualattacks on the institution or others, and thee ffectiveness of the existing security controls, andusing this information to update the risk managementprogram. Business partner agreements should containa “right to audit” clause so that the organization canevaluate external parties' controls.

• ISO 17799

• NIST 800-53

• F F I E C

• COBIT


• NERC

• FISMA

• 21 CFR Part 11

• GLB

• HIPA A

• PCI

R M9

SeparateSecurityAdministrationDuties

Separate duties for security administration byestablishing appropriate divisions of responsibility inorder to eliminate conflicts of interest and to reducethe risk of negligent or deliberate system misuse. Forexample, personnel who request access to informationshould not be able to grant, authorize, or administeraccess to that information. Personnel who administerauthentication or access control systems should not beable to administer audit functions.

• ISO 17799

• NIST 800-53

• COBIT



N / A

6


RSA Security Inc.





Policy &Process

AU 1

Develop aComprehensiveAuthenticationPolicy

AU 2

ImplementAppropriateAuthenticationTechniques

Develop and document a comprehensiveauthentication policy that dictates the use ofmechanisms to validate user identity per systemand/or application. All authentication techniquesused should be governed by policy (e.g., passwordpolicy, remote access policy, Certificate Policy).

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• PCI

Implement authentication techniquesappropriate to risk level to ensure onlyauthorized users with validated identities gainaccess to resources (e.g., network, operatingsystem or application). Consider that thestrength of an authentication method is basedon the number of factors it uses in verifying theuser's identity. The three factors used to verifyidentities are: something the user knows (e.g.,password or PIN), something the user has (e.g., atoken or smart card) and something the user is(e.g., biometric data such as fingerprint or Irisscan). Authentication is based on a single factoror multiple factors. Combining factors increasesthe strength of the authentication.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• 21 CFR Part 11

• HIPA A

• PCI

AU 3

KeepAuthenticationMechanismsEffective

Keep authentication mechanisms effective byensuring passwords are changed regularly whereappropriate, promptly reporting and cancelinglost or stolen authenticators and preventingsystem access by invalid credentials.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• 21 CFR Part 11

• PCI

AU 4

ProtectStorage &Transmission ofAuthenticationInformation

Safeguard the authentication server and securethe storage and transmission of authenticationinformation such as passwords, PINs, certificates,etc. (i.e. do not store or transmit plain textcredentials)

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• HIPA A

• PCI



C AT E G O RY


S O U R C E S

7


RSA Security Inc.



A U T H E N T I C ATION - c o n t i n u e d

Policy &Process -c o n t i n u e d

Authenti-cationMethods

AU 5

C o n t r o lA u t h e n t i c a t i o nfor Access toExternal Systems

AU 6

MaintainBusinessContinuity forAuthenticationServices

Control the authentication process for all useraccess, including not only access to internalsystems but also access to external systems(inter-organization). Avoid having externalorganizations such as outsourced serviceproviders or other business partners manageyour users' identity information. When externalorganizations manage your user's identityinformation, the risk of a privacy breach oridentity theft is increased, as is the chance thatthe identity information will be inaccurate oroutdated, possibility allowing unauthorizedaccess to the system by a terminated employee,for example.


N / A

Counteract interruptions to business activitiesand protect the availability and security ofinformation by ensuring that in the event of adisaster or computer failure, authenticationservices can be restored in a timely manner.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


These regulations men-tion general requirementsfor business continuity/disaster recovery:

• NERC

• FISMA

• HIPA A

• PCI

AU 7

Develop &Enforce aStrongPasswordPolicy

Develop and enforce a password policymandating the use of strong passwords, definedas: not easily guessed, not listed in dictionaries,includes a combination of letters, numbers, andspecial characters with no consecutiveduplicates, does not contain all numeric or allalphabetical characters, an is of a lengthappropriate to the risk level. (Currentrecommendations for password length are 8characters since attacks can easily revealpasswords less than 8 characters in length, andwith increased computing power, recommendedlength continues to get longer.) The policyshould require passwords be kept confidential,not be shared or written down, and be changedat regular intervals (current recommendationsare every 30 days for sensitive systems and 90days for others). Temporary passwords should bechanged immediately upon issuance.

• ISO 17799

• NIST 800-53

• FFIEC

• SANS


• COBIT


• NERC

• FISMA

• 21 CFR Part 11

• PCI



C AT E G O RY


S O U R C E S

8


RSA Security Inc.





Authenti-cationMethods -c o n t i n u e d

AU 8

Use anAutomatedSystem toManagePasswords

AU 9

ProtectAgainst SocialEngineeringAttacks

Use an automated system to manage passwordsthat provides an interactive method of enforcinguser selection of strong passwords (as defined bypolicy), facilitates required and/or periodicpassword changes, enables password resetswhen users forget their passwords, and preventsthe re-use of passwords. The system shouldmaintain and check a record of previously-usedpasswords (current recommendations are tocheck the previous 12 month time period).

• ISO 17799



These regulations have requirements forpassword manage-ment (not necessarily automated):

• 21 CFR Part 11

• HIPA A

• PCI

Protect against attacks meant to discoverpasswords through social engineering byimplementing and enforcing controls such asstrong passwords and/or multi-factorauthentication in combination withcomprehensive user training.

• ISO 17799

• FFIEC



N / A

AU 1 0

Use Multi-factorAuthenticationwhen StrongPasswords Fail

Use multi-factor authentication when a strongpassword policy actually results in weakenedsecurity; for example, when users must writepasswords down so they don't forget them(easily forgotten passwords also jeopardizes thetimely availability of information for authorizedusers). Password systems must balance thepassword strength with the user's ability tomaintain the password as a shared secret. Whenpasswords are too complex to remember, adifferent authentication mechanism should beused. Consider adding a multi-factorauthentication mechanism to the legacy systemsand applications for which the native loginprocedure cannot be configured in accordancewith a strong password policy.

• FFIEC



N / A



C AT E G O RY


S O U R C E S

9


RSA Security Inc.




Authenti-cationMethods -c o n t i n u e d

AU 1 1

Use Multi-factorAuthenticationfor RemoteAccess

AU 1 2

Use Multi-factorA u t h e n t i c a t i o nfor Access toW i r e l e s sN e t w o r k s

Use multi-factor authentication for all remoteaccess to systems or applications, especiallywhen using public networks, whether over theweb, via a portal, through remote-access servers(RAS) or VPNs, etc. In the case of remote access,users are connecting from locations (andpossibly devices) outside of the organization'scontrol, which represents a higher risk. Forexample, there are no physical safeguards toverify that the user is authorized, such asrequiring the user to have a building access cardin order to enter the corporate facilities andgain access to the workstation. Requiring theuser to provide multiple factors when accessingsystems remotely is a higher assurance methodof verifying their identity that is commensuratewith the higher risk.

• ISO 17799

• NIST 800-53

• FFIEC



• NERC

• 21 CFR Part 11

• PCI

Use Multi-factor Authentication to ControlAccess to Wireless Networks. Additionalauthentication controls are needed for wirelessnetworks due to the greater opportunities forundetected interception and insertion ofnetwork traffic.

• ISO 17799


• NERC

• 21 CFR Part 11

• PCI

AU 1 3

Use RobustAuthenticationTechniques forSingle Sign-On

Use multi-factor authentication or ensure the useof strong passwords for single sign-on (SSO)environments that provide access to multipleapplications or systems containing confidential orcritical data. For SSO, where feasible, multi-factorauthentication is recommended.

• ISO 17799

• FFIEC



N / A

AU 1 4

Use Multi-factorAuthenticationfor SystemAdministrators

Use multi-factor authentication for systemadministrators accessing administrative functionswhere possible. Verify the identity ofadministrators who have extensive access rightswith a high degree of assurance.



N / A



C AT E G O RY


S O U R C E S

Log-onProcedures

AU 1 5

ImplementSecure SingleSign-On Systems

Implement single sign-on (SSO) systems wherefeasible so users do not have to remembermultiple passwords or possess multipleauthentication mechanisms. Make sure theauthentication method used is of appropriatestrength to account for the “keys to thekingdom” issue.

• ISO 17799

• FFIEC

• SANS



N / A

10


RSA Security Inc.





AU 1 6

ControlDisplay ofInformationDuring Log-on

Control the display of information throughoutthe log-on process, including displaying ageneral notice warning that the system shouldonly be accessed by authorized users. Do notprovide help messages during the log-onprocedure that would aid an unauthorized user,do not display system or application identifiersuntil after a successful logon, and do notvalidate the log-on information until all inputdata is complete. If passwords or codes are usedfor authentication, do not display the charactersas they are entered. Upon completion of asuccessful log-on, the system should display thedate and time of the previous successful log-onas well as the details of any unsuccessful log-onattempts since the last successful log-on.

• ISO 17799

• NIST 800-53


• NERC

AU 1 7

Terminate Log-on ProcedureafterUnsuccessfulAttempts

Terminate the log-on procedure after anappropriate number of unsuccessful log-onattempts as defined in the authentication policy(current recommendations are three). Anyfurther attempts to logon should be rejectedunless specific authorization is obtained. Whenthe maximum number of logon attempts isreached, an alarm message should be sent to thesystem administrator. The log-on procedureshould have a minimum and maximum timeallowed. If exceeded, the system shouldterminate the log-on.

• ISO 17799

• NIST 800-53

• FFIEC


• PCI



C AT E G O RY


S O U R C E S

Log-onP r o c e d u r e s -c o n t i n u e d

AU 1 8

ImplementSession Time-Out AfterInactivity

AU 1 9

Set upE m e r g e n c yA c c e s sP r o c e d u r e s

Implement session time-out such that after aperiod of inactivity the network and/orapplication session is closed down (or at aminimum, the screen is cleared) and the user isrequired to re-authenticate. Time-out guardsagainst attacks that use an unattended logged-in workstation to gain unauthorized access. Thetime-out delay should reflect the security risks ofthe physical area, the applications, and thesensitivity of information.

• ISO 17799

• NIST 800-53

• FFIEC


• 21 CFR Part 11

• HIPA A

• PCI

Set up emergency access procedures to providetimely access to resources when users forgettheir passwords or are not in possession of theirauthenticators. Use a technique that canconfirm the user's identity with a high level ofassurance. Automated mechanisms should beused to facilitate emergency access.


• HIPA A

11


RSA Security Inc.



ACCESS CONTROL

Policy &P r o c e s s

A C1

Develop aComprehensiveAccess ControlPolicy

A C2

ImplementAppropriateAccessControls

Develop and document a comprehensive accesscontrol policy that identifies authorized users,describes their access rights and allowableactions as well as the approval process forgranting access rights. The policy should includean explanation of the formal procedures forcontrolling the management of user identitiesand allocation of access rights, should outlinethe roles and duties of administrators,managers, system or application owners, andusers, and should describe the workflow processinvolved. Based on business and securityrequirements, the access control policy should beregularly reviewed and updated.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• HIPA A

• PCI

Implement, manage, and enforce access controlsappropriate to risk level that allow onlyauthorized user access to resources (e.g.,network, operating system, and application).

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• FISMA

• 21 CFR Part 11

• Annex 11

• GLB

• EU DPD

• Japan PIPA

• Australia FPA

• Canada PIPEDA

• HIPA A

• PCI

A C3

IntegrateAccess Controlwith EffectiveAuthentication

Integrate access control with effectiveauthentication to ensure only authorized userswhose identity has been validated with a highlevel of assurance, gain access to resources (e.g.network, operating system and application).

• ISO 17799

• FFIEC

• COBIT


N / A

A C4

Restrict Users'Knowledge ofUnauthorizedFunctions

Restrict users' knowledge of applicationfunctions for which they are not authorized toperform. The user interface should not displayfunctions that are not accessible to the user.Avoid using "grey-ed out" functions and insteadconfigure the display to show users only thefunctions for which they are authorized toperform.

• ISO 17799


N / A



C AT E G O RY


S O U R C E S

12


RSA Security Inc.




ACCESS CONTROL - c o n t i n u e d

User &AccountManage-ment

Policy &P r o c e s s -c o n t i n u e d

A C5

MaintainBusinessContinuity forAccess Control

A C6

AssignIndividualsUniqueCredentials

Counteract interruptions to business activitiesand protect the availability and security ofinformation by ensuring that, in the event of adisaster or computer failure, access controlservices can be restored in a timely manner.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


These regulationsmention generalrequirements forbusiness c o n t i n u i t y / d i s a s t e rr e c o v e ry :

• NERC

• FISMA

• HIPA A

• PCI

Assign individual users and administratorsunique IDs and credentials for access toresources (e.g., network, operating system andapplications), in order to ensure that activitiescan be traced to individuals who are heldresponsible and accountable for their actions.Generally, the use of shared accounts should beavoided for all users, and all administratorsshould have individual accounts.

• ISO 17799

• NIST 800-53

• FFIEC


• NERC

• 21 CFR Part 11

• HIPA A

• PCI

A C7

Ensure Timely User LifecycleManagement

Actively manage access rights throughout allstages of the user lifecycle, including initial userregistration as well as the requesting, approving,issuing, adding, deleting, or modifying of accessrights and the deregistration of a user. Theaccess rights of all employees, contractors andother external parties should be promptlyremoved upon termination of their employment,contract or agreement, or should be adjustedupon change with the appropriate personnelnotified. Automated mechanisms should be usedto facilitate lifecycle management.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT

• Industry Analysts


• NERC

• 21 CFR Part 11

• HIPA A

• PCI

A C8

RemoveInactive orRedundantUser Accounts

Check for and remove any inactive or redundantuser accounts on a regular basis. Inactiveaccounts should be removed after anappropriate length of time. Currentrecommendations are after 30-60 days ofinactivity. Automated mechanisms should beused to ensure that redundant accounts are notissued and to facilitate the removal ofredundant accounts.

• ISO 17799

• NIST 800-53


• NERC

• PCI

A C9

Monitor Guest/AnonymousUser Accounts

Monitor use of guest/anonymous accounts.These accounts should expire after a set timeperiod. Automated mechanisms should be usedto facilitate the expiry of accounts.

• NIST 800-53


• NERC

• PCI



C AT E G O RY


S O U R C E S

13


RSA Security Inc.




RightsManage-ment &E n f o r c e m e n t

A C1 0

Grant RightsBased on LeastPrivilege andNeed to Know

A C1 1

UseAppropriateGranularity ofAccess Control

Grant access rights based on the principle ofleast privilege so that users are provided thelowest level of rights and privileges necessary toperform their work for the minimum timerequired. Rights should also be allocated basedon users' need to know, meaning the data mustbe necessary for the user to complete anassigned task. For example, a databaseadministrator may require access to a databasebut does not need to know all of theinformation in the database and thereforeshould not be granted access to everything.Ensure that on an ongoing basis a user's accessrights are set to the minimum required andreflect the user's current business needs.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• H I PAA ( P r i v a cyS t a n d a r d )

• PCI

Select the granularity of access control based onthe confidentiality or criticality of information. Itshould be possible to protect data at the system,application, file, record, or field level, if required.

• ISO 17799

• FFIEC


N / A

A C1 2

ControlAllowableActions

Control allowable user actions, restricting notonly their ability to access a resource but toperform actions such as read, write, delete a file,and/or execute a function or transaction.

• ISO 17799

• FFIEC


N / A

A C1 3

AggregateAccess Rightsinto Groupsand Roles

Aggregate user access rights using groupprofiles or roles to ease administrative burdenand improve the security of managing accessrights. Users should be assigned to appropriategroups or roles. Group employees with similaraccess requirements under a common accessprofile so application owners and securityadministrators can better assign and overseeaccess rights. For example, an employeeperforming a two-week job rotation does notneed year-round access to perform both jobs.With group profiles, security administrators canquickly reassign the employee from one job tothe next.

• ISO 17799

• NIST 800-53

• FFIEC



N / A



C AT E G O RY


S O U R C E S

14


RSA Security Inc.





RightsManage-ment &E n f o r c e m e n t-c o n t i n u e d

A C1 4

EnforceSegregation ofDuties

A C1 5

Restrict SystemAdministratorPrivileges

Enforce segregation of duties through assignedaccess rights in order to prevent users fromhaving all of the necessary authority orinformation access to perform fraudulentactivity without collusion. Care should be takenthat no single person can perpetrate fraud inareas of single responsibility without beingdetected. One of the key areas is to separate theinitiation of an event from its approval; forexample, initiating a PO and approving a PO.For financial systems, it is important to separateaccess to assets from responsibility for maintainingthe accountability for those assets. Usingautomated access control and role-based accesscontrol systems can facilitate segregation of duties.

• ISO 17799

• NIST 800-53

• COBIT



• GLB• PCI

Restrict use of system administrator privilegesallowing configuration or override of accesscontrols to a limited number of authorizedadministrators with the appropriate screening,training, and business need.

• ISO 17799

• NIST 800-53

• FFIEC


• NERC

• PCI

A C1 6

Use Time-of-DayLimitations

Use time-of-day limitations where appropriateand feasible for applications containing sensitiveinformation or for more sensitive applicationfunctions. This could include monitoring the numberof times an account is accessed within a period oftime (e.g. outside regular hours) in order to ensureaccounts are not being inappropriately accessed.

• FFIEC


N / A

A C1 7

Implement anApprovalProcess forAccess Rights

Implement a formal approval process for assigningand updating access rights and maintain a recordof all access rights and privileges allocated andauthorized. All access or change requests, whetherinitiated by administrators or users or automaticallyby an information system (such as an HR system),should be subject to an approval process beforeaccess is granted. Any allocation of access rightsto external parties (such as suppliers, serviceproviders, contractors, etc.) should be especiallyscrutinized and subject to approvals. The processshould allow for delegated authority in caseswhere approving personnel are absent and shouldensure thorough logging of authorizations.Automated mechanisms for providing approvalshould be provided to support personnelincluding business line managers, supervisors, orapplication owners.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• NERC

• 21 CFR Part 11

• HIPA A

• PCI



C AT E G O RY


S O U R C E S

15


RSA Security Inc.




RightsManage-ment &E n f o r c e m e n t-c o n t i n u e d

A C1 8

ConductRegular Reviewsof Access Rights

A C1 9

MaintainConsistentManagement& Enforcementof AccessRights

Conduct a formal review of access rights grantedto each user on the system at regular intervals toensure access rights conform to policy, areconfigured accurately, and are kept current. Forthese reviews, the administrators and/or auditorsshould generate comprehensive reports on whohas access to what and should distribute theseto the business line managers, supervisors and/orapplication owners to receive their confirmationthat only authorized users have access. Reviewperiods of every 3 - 6 months are recommended.Automated mechanisms including reportgeneration tools should be used to facilitate thereview process.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• NERC

• HIPA A

• PCI

Maintain consistent processes for managingaccess rights and enforcing policy across allsystems and applications within theorganization. Centralize the management andenforcement of access rights as much as possibleto facilitate the use of consistent processes andhelp ensure access rights accuracy acrossmultiple systems or applications.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



N / A



C AT E G O RY


S O U R C E S

16


RSA Security Inc.




D ATA PROTECTION

Policy &Process

D P1

Develop aComprehensiveData ProtectionPolicy

D P2

ImplementAppropriateDataProtection

Develop and document a comprehensive dataprotection policy indicating when cryptographicprotection is required for certain categories ofdata and setting the appropriate level ofprotection based on an organization's riskassessment and legislative and regulatoryrequirements. The policy should describe thespecific cryptographic techniques (i.e. encryptionand/or digital signatures) used to meetconfidentiality, integrity and/or non-repudiationrequirements. The policy should describe thetype, strength, and quality of encryptionalgorithm and cover key management andprotection.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• PCI

• California SB 1386(i.e. This and most ofthe other state laws,requiring notificationof individuals whentheir data is breached,provide an exemptionfor data that has beenencrypted.)

Use encryption for protecting data in transit orin storage commensurate with the risk level,sensitivity and criticality of data. It isrecommended that encryption should always beused for sensitive data in transit and forsensitive data in storage when other accesscontrols are not sufficient. As well, encryptionshould be used when data is subject to physicalloss or interception to control administratoraccess to data (such that the administrator canwork with files but not view the data) and tomeet specific regulatory, privacy, or legalobligations.

• ISO 17799

• NIST 800-53

• FFIEC



• 21 CFR Part 11

• GLB

• HIPA A

• PCI


D P3

Employ Secure KeyManagementProcedures

Use secure key management for symmetric andasymmetric cryptographic solutions, includinglogical and physical controls to safeguard thegeneration, distribution, and storage of keysand to protect the keys from loss, destruction,modification, or tampering. Keys should bedeactivated immediately upon compromise orwhen they are no longer needed. A key backupand recovery system should be used to facilitatekey recovery in case of loss, damage orcompromise and to provide for the long-termstorage and secure, timely retrieval of keys fordecrypting encrypted information if required.

• ISO 17799

• NIST 800-53

• FFIEC


• PCI



C AT E G O RY


S O U R C E S

17


RSA Security Inc.



D ATA PROTECTION - c o n t i n u e d

Policy &Process-c o n t i n u e d

Encryption& DataIntegrity

D P4

EmployStringent Root-Key ProtectionMeasures

D P5

MaintainBusinessContinuity forData ProtectionServices

Employ stringent measures to safeguard criticaldata protection keys, such as PKI root CA keys,through mechanisms such as tamper-resistantsecurity modules. Use strong protectionprocedures, such as dual control over privatesigning keys, as well as storing original andback-up keys on computers that do not connectwith an outside network.

• ISO 17799

• NIST 800-53

• FFIEC


N / A

Counteract interruptions to business activities andprotect the availability and security of informationby ensuring that in the event of a disaster orcomputer failure data protection services can berestored in a timely manner.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• NERC

• FISMA

• HIPA A

• PCI

D P6

Use Encryptionto Protect Datain Transit

Protect confidentiality of electroniccommunications with encryption when there isthe risk of unauthorized access especially whensensitive information is transmitted over a publicnetwork (e.g., the Internet, email or a websession). For example, systems transmittingnonpublic personal information such as names,addresses, credit card, and other financial andhealth information should use such protection.

• ISO 17799

• NIST 800-53

• FFIEC


• 21 CFR Part 11

• GLB

• HIPA A

• PCI


D P7

Use Encryptionto ProtectStored Data

Protect confidentiality of electronically storeddata with encryption when data is at risk ofunauthorized access, especially for databasesaccessible over the Internet. For example,consider encryption for employee or customernon-public personal information such asfinancial (credit card and bank account numbers)and healthcare data as well as proprietaryinformation such as financial statements orintellectual property.

• ISO 17799

• NIST 800-53

• FFIEC



• 21 CFR Part 11

• GLB

• HIPA A

• PCI




C AT E G O RY


S O U R C E S

18


RSA Security Inc.




D ATA PROTECTION - c o n t i n u e d

Encryption& DataIntegrity-c o n t i n u e d

ApplicationD e v e l o p m e n t

D P8

Protect DataIntegrity withCryptographicMechanisms

D P9

ImplementEncryption forWirelessSystems

Protect the integrity of sensitive or criticalinformation in transit or at rest withcryptographic mechanisms, such as hashes anddigital signatures. Systems that handle sensitiveecommerce transactions or emailcommunications should use such protection,particularly where non-repudiation capabilitiesare needed.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• 21 CFR Part 11

Protect wireless devices, communications, andsystems with encryption to guard againstunauthorized access or disclosure of informationstored, processed, transmitted or received bythese devices.

• ISO 17799

• NIST 800-53

• FFIEC



• PCI

D P1 0

EnsureApplicationsDeveloped withAppropriateSecurity Controls

Ensure that applications are developed withappropriate security controls, including definingthe security requirements before developingnew applications, incorporating widelyrecognized security standards, integratingadditional authentication and encryptioncontrols where required to ensure integrity andconfidentiality of the data and non-repudiationof transactions, implementing an effectivechange control process, hardening systemsbefore deployment, and establishing aneffective patch process for new securityvulnerabilities.

• ISO 17799

• FFIEC


• PCI



C AT E G O RY


S O U R C E S

ARSA SECURITY BEST PRACTICES FRAMEWORK

RSA Security Inc. 19RSA Security Inc.



LOGGING & REPORT I N G

Policy &Process

L R1

Develop aComprehensiveLogging &Reporting Policy

L R2

Protect LoggingMechanismsfromDeactivation orCompromise

Develop and document a comprehensive loggingand reporting policy that defines which eventsare logged, which activities are monitored,which reports are generated, and how longrecords are retained in accordance with the riskassessment. Logs and reports should beproduced to meet auditing and administrativerequirements, including: detecting unauthorizedaccess or actions, uncovering indications ofinappropriate or unusual activity, checking theeffectiveness of controls, determiningconformance to policy, and providing evidencein the case of security incidents. The policyshould indicate frequency of logging certainevents or activities (e.g. periodic, continuous, inresponse to specific situations, etc.). A reportingprocess should be defined that includes thecontent of reports as well as how often they aregenerated and for what purposes. Regularreviews/analysis of audit records should beconducted and delineated in the policy.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT


• NERC

• HIPA A

• PCI

Protect logging mechanisms by preventingdeactivation, ensuring that log files cannot beedited or deleted, protecting log files in storageand transmission, providing adequate storagecapacity to avoid gaps in data gathering,safeguarding backup and disposal of log files,and logging data to a separate, isolatedcomputer and to write-only media.

• ISO 17799

• NIST 800-53

• FFIEC


N / A

L R3

MaintainBusinessContinuity forLogging Services

Counteract interruptions to business activitiesand protect the availability and security ofinformation by ensuring that in the event of adisaster or computer failure the logging servicescan be restored in a timely manner.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• NERC• FISMA• HIPA A• PCI



C AT E G O RY


S O U R C E S

20


RSA Security Inc.



LOGGING & REPORTING - c o n t i n u e d

DataCollection &Review

L R4

EnsureSufficient DataLogging

L R5

Ensure LoggedData areAccessible andReviewedRegularly

Ensure sufficient data is collected in audit logfiles to satisfy the objectives laid out in thepolicy (e.g. to investigate suspicious activity, toidentify and respond to unauthorized accessattempts, etc.). The kind of events and activitieslogged and the frequency of logging should becommensurate with risk, considering thesensitivity and criticality of the information. At aminimum, logged data should include accesslogs such as operating system access (especiallyhigh-level administrative or root access),application access (especially users with write-and execute privileges), remote access activities,and all unsuccessful attempts at system orapplication access. All administrator andoperator activities and use of high-levelprivileges should be logged, such as changes tosystem or application configuration or changesto access rights and use of system utilities.Activation or deactivation of control systemsshould be logged and an alarm message sent toadministrators. All alarms raised by the accesscontrols should also be logged. All event andactivity logs should include date and timestamps.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• NERC

• HIPA A

• PCI

Ensure logged data is accessible and can bereadily reviewed and analyzed through fileinterrogation and reporting tools. Logs andreports on administrator and user access andactivity and security events should be reviewedregularly. Consider the use of pre-structured andautomated reporting tools to facilitate reportgeneration and review of logs.

• ISO 17799

• NIST 800-53

• FFIEC

• COBIT



• NERC

• HIPA A

• PCI



C AT E G O RY


S O U R C E S

21


RSA Security Inc.



LOGGING & REPORTING - c o n t i n u e d

DataCollection &Review-c o n t i n u e d

L R6

Capture UserActivityInformation

L R7

UtilizeCentralizedLogging

Capture detailed information on the user andtheir activities. Depending on the policy, auditlogs on user activity should include data such asuser ID, session ID, terminal ID, as well as thedate, time, and type of access attempt, servicerequest, process, transaction, or functionsperformed or rejected (such as read, write,modify, delete). At a minimum, all rejectedsystem, application, file, or data access attemptsand other failed actions should be logged.Monitoring user activity must consider anyrelevant privacy regulations.

• ISO 17799

• NIST 800-53

• FFIEC


• NERC

• HIPA A

• PCI

Utilize centralized logging and synchronizedtime stamps to ensure consistency and accuracyin logging across multiple systems orapplications and to expedite review andanalysis.

• ISO 17799

• NIST 800-53

• FFIEC



• PCI

L R8

RecordSignificant KeyEvents

Record, in a secure audit log, all significantevents performed with the data protection keys,including key generation, key archival, and keyrevocation, where each entry is time/datestamped and signed.

• ISO 17799

• FFIEC


N / A



C AT E G O RY


S O U R C E S

22


RSA Security Inc.

ABOUT RSA SECURITY

RSA Security Inc. is the expert in protecting online identitiesand digital assets. The inventor of core securitytechnologies for the Internet, the company leads the way instrong authentication and encryption, bringing trust tomillions of user identities and the transactions that theyperform. RSA Security's portfolio of award-winning identity& access management solutions helps businesses toestablish who's who online - and what they can do. With astrong reputation built on a 20-year history of ingenuity,leadership and proven technologies, we serve more than20,000 customers around the globe and interoperate withmore than 1,000 technology and integration partners. Formore information, please visit www.rsasecurity.com.

BSAFE, ClearTrust, Keon, RSA, RSA Security, the RSA logo, RSA Secured, SecurID and Confidence Inspired

are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries.

All other products or services mentioned are trademarks of their respective owners.

©2006 RSA Security Inc. All rights reserved.

CBP WP 0406

RSA Security Inc. RSA Security Ireland Limited

www.rsasecurity.com www.rsasecurity.ie

FOR IMPLEMENTING BEST PRACTICES IN:

R S A SECURITY I&AM SOLUTIONS

RISK MANAGEMENT


ACCESS CONTROL

D ATA PROTECTION

LOGGING AND REPORT I N G

R SA® Profess ional Services or st rategic partners

RSA SecurID ® two factor authentication RSA Digita l Cert i f icate Management solut ionsRSA Sign-on Manager ® solution (enterprise SSO)RSA ClearTr u s t ® solution (web SSO) RSA Federated Identity Manager solut ion (mult i -domain SSO)

RSA ClearTr u s t ® web access management solut ionRSA Federated Identity Manager solut ionRSA Secured® partners ' provis ioning solut ions

RSA BSAFE® encryption so lutionsRSA BSAFE® Data Security Manager solutionRSA Key Manager solution

Al l RSA Security solutions

IMPLEMENTING BEST PRACTICES WITH RSA SECURITY I&AM SOLUTIONS More and more regulations continue to have major implications for information security. RSA Security helps organizations withthis challenge by providing a set of useful best practices in information security and leading I&AM solutions that can be used toimplement best practices.

Documents

RSASecurity Best Practices Framework › wp-content › uploads › ... · Develop, document, and enforce an information security policy that provides management direction, support,