Defense Security Service Defense Security Service



Download 479.88 Kb.
Page5/15
Date05.05.2018
Size479.88 Kb.
#48205
1   2   3   4   5   6   7   8   9   ...   15

5.7 ACCESS ENFORCEMENT


Instructions: Describe how the Company’s information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy. You may describe, for example, the following:

  • How access control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by the Company to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system.

  • How, in addition to controlling access at the information system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the Company.

Explain how the Company will use the following control element to manage access enforcement:

  • An information system that restricts access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information to explicitly authorized personnel, including, for example, security administrators, system and network administrators, and other privileged users. Privileged users are individuals who have access to system control, monitoring, or administration functions (e.g., system administrators, information system security officers, maintainers, system programmers). [Company should also list each responsible individual by name.]

XYZ, Inc. has a guest wireless network for the use of its employees and also any individuals visiting our office. A computer connecting to the wireless network can only access XYZ’s servers and other computers on the network when the user has a current PGKserver domain user account; otherwise, access is limited only to public resources such as the Internet and the unclassified printer(s).

5.8 INFORMATION FLOW ENFORCEMENT


Instructions: Describe how the Company’s information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. You may describe, for example, the following:

  • How the Company’s information flow will control where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information.

  • How the Company will keep export controlled information from being transmitted in the clear to the Internet, block outside traffic that claims to be from within the Company, and not pass any web requests to the Internet that are not from the internal web proxy.

  • How the Company’s information flow control policies and enforcement mechanisms will control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems.

  • How the Company’s flow control is based on the characteristics of the information and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services or provide a packet filtering capability.

Not applicable because, XYZ, Inc. is a single facility and as such does not have multiple, interconnected IT systems.

5.9 SEPARATION OF DUTIES


Instructions: Describe how the Company’s information system enforces separation of duties through assigned access authorizations. You may describe, for example, the following:

  • How the Company will establish appropriate divisions of responsibility and separate duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals.

  • How there is access control software on the Company’s information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion.

  • How the Company will divide mission functions and distinct information system support functions among different individuals/roles.

  • How the Company will have different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security)

  • How the Company will use security personnel to administer access control functions who are different from the personnel who administer the Company’s audit functions.

Refer to XYZ’s Access Control Policy for details on Separation of Duties.

5.10 LEAST PRIVILEGE


Instructions: Describe how the Company’s information system will enforce the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks. You may describe, for example, how the Company employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.

Refer to XYZ’s Access Control Policy for details on Least Privilege.


5.11 UNSUCCESSFUL LOGIN ATTEMPTS


Instructions: Describe how the Company’sinformation system will enforce a limit of [state the appropriate number] consecutive invalid access attempts by a user during a [state the appropriate time period] time period. You may describe, for example, the following:

  • How the Company’s information system (i) will automatically lock the account/node for an [state the appropriate time period] and/or delay next login prompt according to[ state the appropriate delay algorithm] when the maximum number of unsuccessful attempts is exceeded.

  • Whether automatic lockouts initiated by the information system will be temporary and automatically release after a predetermined time period established by the Company.

All XYZ’s IT system limits the number of unsuccessful log-in attempts to 3. A specified lock-out period will occur after three unsuccessful log-in attempts. Individuals who do not have the appropriate local user account information will not be able to access our IT system and must contact IT support services.


Download 479.88 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   15




The database is protected by copyright ©ininet.org 2024
send message

    Main page