B2. Identity and access control

Serviceteam IT Security News

Principle

The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.

Description

It is important that the organisation is clear about who (or what in the case of automated functions) has authorisation to interact with the network and information system of an essential service in any way or access associated sensitive data. Rights granted should be carefully controlled, especially where those rights provide an ability to materially affect the delivery of the essential service. Rights granted should be periodically reviewed and technically removed when no longer required such as when an individual changes role or perhaps leaves the organisation.

Users, devices and systems should be appropriately verified, authenticated and authorised before access to data or services is granted. Verification of a user’s identity (they are who they say they are) is a prerequisite for issuing credentials, authentication and access management. For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.

Unauthorised individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorised individuals attempting to interact with any online service presentation or individuals with unauthorised access to user devices (for example if a user device were lost or stolen).

Guidance

Identity and access management

The Introduction to identity and access management sets out security fundamentals that operators should consider in designing and managing identity and access management systems.  Identity and access control should be robust enough that essential services are not disrupted byunauthorised access.

Physical security

In addition to technical security, operators should protect physical access to networks and information systems supporting the essential service, to prevent unauthorised access, tampering or data deletion. Some operators may already have physical security measures in place to comply with other regulatory frameworks. See CPNI guidance for further information.

References

NCSC Introduction to identity and access management

CPNI Physical Security guidance

BS ISO/IEC 27002:2013 section 9

BS IEC 62443-2-1:2011

NIST Identity and Access Management publications, e.g. SP 800-63 suite “Digital Identity Guidelines”

< Back to Principle B1                              Forward to Principle B3 >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News Marcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges
Serviceteam IT Security News A Russian Doll review – a data-disinformation troll keeps us hooked
Serviceteam IT Security News Power grab: the hidden costs of Ireland’s datacentre boom
Serviceteam IT Security News The run-up to my prostate examination | Brief letters
Serviceteam IT Security News Will we just accept our loss of privacy, or has the techlash already begun? | Alan Rusbridger
Serviceteam IT Security News Understanding Software as a Service (SaaS) security