ISO IEC 17799 2000

TRANSLATED INTO PLAIN ENGLISH

Section 9: Access Control

FREE DETAILED STANDARD

TO SECTION 8

 MAIN MENU TO SECTION 10

ISO 17799 2000 is now OBSOLETE.
Please see ISO IEC 17799 2005 (27002)!

ISO 17799

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

9.1 CONTROL ACCESS TO INFORMATION

 

Make sure that your information access
controls meet your business requirements.

 

Make sure that your information access
controls meet your security requirements.

 

Make sure that your information access controls
comply with your information dissemination policies.

 

Make sure that your information access controls
comply with your information authorization policies.

9.1.1 DEVELOP A POLICY AND RULES TO CONTROL ACCESS

9.1.1.1 DEVELOP A POLICY TO CONTROL INFORMATION ACCESS

 

Define and document the business requirements
that your access controls must meet.

 

Make sure that your users understand the business
requirements that access controls are supposed to meet.

 

Make sure that your service providers understand the
business requirements that access controls must meet.

 

Develop a policy to control information access.

 

Make sure that your access control policy
meets your business requirements.

 

Make sure that your access control policy defines the rules
and rights that each of your user groups must comply with.

 

Make sure that access control policy defines the security
requirements that individual applications must meet.

 

Make sure that access control policy defines how information dissemination and authorization should be controlled.

 

Make sure that your access control policy complies
with all relevant data access laws and regulations.

 

Make sure that your access control policy meets all
contractual obligations to protect access to data or services.

 

Make sure that access control policy allows the use of
standard user access profiles for common job categories.

 

Make sure that your access control policy supports
the management of access rights in a distributed
and networked environment.

 

Make sure that your access control policy recognizes
all the types of connections that are possible within
a distributed and networked environment.

 

Make sure that your information access control policy
is consistent with your information classification policies.

9.1.1.2 DEVELOP INFORMATION ACCESS CONTROL RULES

 

Develop rules to control access to information.

 

Make sure that your access control rules specify
which rules must always be enforced and which
ones are conditional or optional.

 

Make sure that access control rules forbid access except
for those who have been officially allowed to have access.

 

Make sure that access control rules distinguish between
information labels that are generated automatically and 
those that can be generated by users.

 

Make sure that access control rules distinguish between
user permissions that are generated automatically and
those that are initiated by an administrator.

 

Make sure that you distinguish between user access
rules that must be formally approved by administrators
or managers, and those rules that can be enacted
without formal approval.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

9.2 MANAGE THE ALLOCATION OF ACCESS RIGHTS

 

Establish a procedure to control the allocation of
rights to access information systems and services.

 

Ensure that your access rights allocation procedure controls
all stages from initial user registration to de-registration.

 

Ensure that your access rights allocation procedure pays
particular attention to the allocation of special rights and
privileges that allow users to override normal system controls.

9.2.1 ESTABLISH A USER REGISTRATION PROCEDURE

 

Develop a formal procedure to control the registration
and de‑registration of users who want access to multi‑user
information systems and services.

 

Make sure that your user registration procedure
assigns a unique user ID to each individual user.

 

Make sure that your user registration
procedure limits the use of group IDs.

 

Make sure that your user registration procedure ensures that
system owners authorize access before user access is granted.

 

Make sure that your user registration procedure specifies when management authorization is required before user access is granted.

 

Make sure that your user registration procedure ensures that the
level of access granted is determined by business requirements.

 

Make sure that your user registration procedure ensures that
the level of access granted is consistent with your security policy.

 

Make sure that your user registration procedure ensures that the
level of access granted does not create an opportunity for collusion.

 

Make sure that your user registration procedure ensures that users
are given a written statement of their access rights and responsibilities.

 

Make sure that your registration procedure ensures that all users
are asked to sign statements that confirm that they understand what
their access rights and responsibilities are.

 

Make sure that your user registration procedure ensures that
service providers do not provide access until all formal authorization steps have been taken.

 

Make sure that your user registration procedure ensures
that a formal record of all registered users is maintained.

 

Make sure that your user registration procedure ensures
that access rights are immediately cancelled whenever
users change jobs or leave your organization.

 

Make sure that your user registration procedure ensures
that someone periodically checks your records to make
sure that only legitimate users continue to have access.

 

Make sure that your user registration procedure ensures
that old or redundant IDs are not issued to new users.

 

Make sure that your employment contracts specify the
sanctions that will be applied if employees attempt to gain
access to information without authorization.

 

Make sure that your service contracts specify the sanctions
that will be applied if service agents attempt to gain access to
information without authorization.

9.2.2 CONTROL THE AUTHORIZATION OF SYSTEM PRIVILEGES

 

Establish a formal authorization process that must be used
to restrict and control the allocation of special privileges that
allow users to override normal system controls.

 

Specify exactly what the special privileges should
be for each category of software product.

 

Specify which staff members should have which
privileges for each category of software product.

 

Grant system privileges only when they are needed.

 

Make sure that your authorization process ensures that system privileges are not granted until all formal authorization steps have been completed.

 

Maintain a record of all privilege allocations.

 

Reduce the need to grant privileges by promoting
the development and use of system routines.

 

Ensure that the same user identity is not used to grant
both privileged access and normal business access.

9.2.3 ESTABLISH A PROCESS TO MANAGE PASSWORDS

 

Establish a formal process to manage and control
the allocation of your organization’s passwords.

 

Make sure that your password management process ensures
that all users are asked to sign statements that promise to
protect the confidentiality of their personal passwords.

 

Make sure that your password management process ensures that
all work groups are asked to sign statements that promise to protect
the confidentiality of their work group passwords.

 

Make sure that your password management process ensures
that secure temporary passwords are supplied only after the
user has been properly identified.

 

Make sure that your password management process ensures
that a secure process is used to supply temporary passwords.

 

Make sure that your password management process ensures
that users are forced immediately to change secure temporary
passwords into secure permanent passwords.

 

Make sure that your password management process ensures
that users acknowledge the receipt of their passwords.

 

Store passwords on a secure computer system.

9.2.4 REVIEW USER ACCESS RIGHTS AND PRIVILEGES

 

Make sure that managers review user access rights and privileges.

 

Make sure that user access rights are reviewed on a regular basis.

 

Make sure that access rights are reviewed whenever changes occur.

 

Make sure that access privileges are reviewed more often than rights.

 

Make sure that access privileges are reviewed on a regular basis.

 

Make sure that access privileges are reviewed in order to
ensure that unauthorized privileges have not been granted.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

9.3 ENCOURAGE RESPONSIBLE ACCESS PRACTICES

 

Ask authorized users to help you control access to
your organization’s information systems and services.

 

Make authorized users responsible for helping you
to control access to information systems and services.

 

Make users aware of what they must do to control access.

 

Make users aware of what they must do to protect passwords.

 

Make users aware of what they must do to protect equipment.

9.3.1 ENCOURAGE USERS TO PROTECT PASSWORDS

 

Make sure that your users follow best information
security practices when they select their passwords.

 

Make sure that your users select passwords
that are six or more characters in length.

 

Make sure that users select passwords
that are easy to remember.

 

Make sure that users select passwords
that are difficult for others to guess based
on what they already know about the user.

 

Make sure that users avoid selecting passwords
that have identical consecutive characters or have
groups of alphabetic or numeric characters.

 

Make sure that your users follow best information
security practices when they use their passwords.

 

Make sure that users protect the
confidentiality of their passwords.

 

Make sure that your users ensure that all written
records of passwords are safely and securely stored.

 

Make sure that users change passwords whenever the security
of passwords or systems appears to have been compromised.

 

Make sure that users change passwords on a regular basis.

 

Make sure that users avoid using previously used passwords.

 

Make sure that users change passwords more often for
privileged access accounts than for normal access accounts.

 

Make sure that your users change
temporary passwords immediately.

 

Make sure that your users ensure that passwords are not
used and automatically stored during automated log‑ons.

 

Make sure that users avoid sharing passwords with others.

 

Make sure that users are formally authorized to use a single password
to access multiple systems or services only if multiple access is a job requirement and the password is of high quality.

9.3.2 ENCOURAGE USERS TO PROTECT EQUIPMENT

 

Make sure that users know how to protect unattended equipment.

 

Make sure that users understand the security requirements
that must be met when equipment is left unattended.

 

Make sure that users understand the security procedures
that must be followed to protect unattended equipment.

 

Make sure that your users understand what their
specific equipment protection responsibilities are.

 

Make sure that your users protect their
equipment when it has been left unattended.

 

Make sure that your contractors know
how to protect unattended equipment.

 

Make sure that contractors understand
the security requirements that must be
met when equipment is left unattended.

 

Make sure that your contractors understand
the security procedures that must be followed
to protect unattended equipment.

 

Make sure that your contractors know what their
specific equipment protection responsibilities are.

 

Make sure that your contractors protect
equipment when it has been left unattended.

 

Make sure that users are told to secure their equipment or 
to terminate active sessions when their work is finished.

 

Make sure that users are told to log‑off mainframe
computers when their work session is finished.

 

Make sure that users are told to protect terminals or PCs
against unauthorized access when they’re not using them.

 

Make sure that workstations and file servers are given special
protection from unauthorized access when they are located
in users areas and left unattended for long periods.

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

9.4 CONTROL ACCESS TO COMPUTER NETWORKS

 

Control access to internal networked services.

 

Control access to external networked services.

 

Control access by using the appropriate interfaces between
your network and networks owned by other organizations.

 

Control access by using the appropriate interfaces
between your network and public networks.

 

Control access to networks by using the appropriate
authentication mechanisms for users and equipment.

 

Control user access to information services.

9.4.1 FORMULATE A NETWORK USE POLICY

 

Establish a policy to control the use of networks and network services.

 

Make sure that your network use policy ensures that users are
not allowed access to a particular network unless they have
been formally authorized to use that network.

 

Make sure that your network use policy ensures that users are
not allowed access to sensitive or critical business applications
unless access has been formally authorized.

 

Make sure that your network use policy ensures that users are
not allowed access to high‑risk areas or locations unless access
has been formally authorized.

 

Make sure that your network use policy identifies the networks
and network services that users may access and those that
users may access only if they have special authorization.

 

Make sure that your network use policy establishes procedures that
must be used to determine who is allowed to have access to networks and network services and which ones may not be accessed.

 

Make sure that your network use policy establishes management
controls and procedures to protect access to network connections.

 

Make sure that your network use policy establishes management
controls and procedures to protect access to network services.

 

Make sure that your network use policy is consistent
with your organization’s business access control policy.

9.4.2 USE ENFORCED PATHS TO CONTROL ACCESS

 

Reduce the opportunity for unauthorized access to business applications by controlling the path from the user terminal to the computer service.

 

Reduce the opportunity for unauthorized use of information facilities
by controlling the path from the user terminal to the computer service.

 

Establish controls to restrict the route between user terminals
and the computer services that users are authorized to access.

 

Make sure that your path controls prevent users from
selecting unauthorized routes by limiting the routing
options available to the user at each point in the network.

 

Limit the users routing options by allocating
dedicated lines or telephone numbers.

 

Limit the users routing options by automatically
connecting ports to designated application systems.