• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 9: Control of Access to Information Systems

Business Requirement for Access Control

1. Appropriate access controls assist to protect information processed and stored in computer systems. The "defence in depth" principle should be followed based on risk management, and where appropriate using several "layers" to protect critical information. (See Chapter 7 paragraphs 1 to 5).

2. The organisation's system security policy must clearly define the needs of each user or group to access systems, applications and data.

3. User and group file-access rights should be configured according to business requirements and the "need to know" principle.

4. Formal procedures should control how access is granted to information-system services or how such access is changed, so as to prevent unauthorised access to data or system resources.

5. A usage profile, detailing privileges and access rights, should be assigned to each user. Give special attention to privileged access rights that can override system controls. Administration accounts must be strictly controlled and subject to special authorisation by the DSO.

6. A user registration policy should:

• formally authorise who gives out user IDs

• control the levels of access that can be granted

• maintain formal records on registered users

• make sure that all redundant user accounts are deleted

• regularly review registered users priveleges.

Access Control Rules

7. Access control can start by allowing access to everything, and then revoking access to whatever systems, applications or data repositories a user does not need. However, it is better to start by denying access to everything, and then explicitly granting access to just the specific resources a user needs.

8. Secure logon procedures can control access to host-based information systems. Logon procedures should reveal minimal information about the system, to deter unauthorised use.

Least Privilege Authorisation ("Need to Know")

9. Consider the principle of least privilege: grant no user greater access to the system than their duty demands.

10. This principle can be applied to users' modes of access, such as whether they receive "read or write" privileges.

Logon Banners and Warning Notices

11. There may be a defence against prosecution for computer-related offences if warnings about how an information system may be used are missing or inadequate. To pre-empt such a defence, an organisation should provide warnings on the system's logon banners that say:

• the system is for authorised users only

• usage is monitored

• evidence of misuse may be presented in legal proceedings

• by continuing to access the system after seeing the warning, people represent themselves as authorised users.

File-System Controls

12. Server file systems must have access control mechanisms to prevent unauthorised access or changes to data. This is critical when server file systems are connected to the Internet, even behind a firewall.

13. Server file-system access controls should restrict:

• direct-write access to system areas

• adding software or services

• accessing other users' files.

User Access Management

14. Access control to information systems and services should cover all stages in the life-cycle of user access: from registration of new users to de-registration of users who no longer need access. Where possible, user policies should be enforced by the operating system or other software.

User Authentication

15. When users log on, organisations must authenticate their identities. How to authenticate depends mainly on risk assessment and cost. There are three types (factors) of authenticating information:

• something the user knows, usually a password or pass-phrase

• something the user has, such as a magnetically coded card, or a "smart" card

• something the user is, such as a fingerprint, verified by biometric measurement.

• where possible and practical, use two authentication factors.

User Registration

Account and Access Management

16. Users should be assigned only the access privileges needed for their job.

17. System administration accounts should be assigned and used only as needed. Do not log on to administration accounts, for example, when using the system as a regular user, not performing administration duties.

18. Personnel management should include documented procedures describing the entire lifecycle of user accounts.

Single Sign-On and Trusted Domains

19. Where single sign-on or trusted domains are used to simplify user authentication, internal mechanisms must protect against critical failure.

20. Use evaluated products wherever possible.

21. Servers containing user credentials should be:

• physically protected

• tightly configured

• monitored for inappropriate use.

Inactivity Timeout and Restricted Connection Times

22. An additional security measure to prevent unauthorised access to an information system is to automatically disable logged-on workstations after a period of inactivity.

23. Restricting connection times can provide additional security for high-risk applications, reducing the window of opportunity for unauthorised access.

Further Guidance

24. For more on access control and authentication, see NZSIT 101, Information Technology Security Policy Handbook, Chapter 7, and NZSIT 204, Authentication Services and Mechanisms.

User Password Management

Passwords

25. The first line of defence for a host computer system is usually the user-identification code (user ID) and some form of authentication, such as a password.

26. Passwords must be secure but memorable. They should be granted through a formal management process, where users agree to keep them confidential.

One-Time Passwords and Tokens

27. Tokens are devices used to generate a one-time password or Personal Identification Number (PIN). Because they are expensive, they are normally found only on higher-security systems. Where they generate passwords tThey should be used with PINs to protect against unauthorised use if lost or stolen. PINs should be safeguarded to the same degree as passwords.

Digital Signatures

28. Digital signatures can be used to verify the content and originator of messages, documents, and software. The advent of public key cryptography (PKC) has made digital signatures available for access control, authentication, and user identification.

29. Digital signature information must be protected against loss or misuse.

30. A digital signature may be given in the form of a token.

Biometrics

31. Biometric devices can provide better security than either passwords or tokens, but they can present additional engineering issues. Organisations intending to use biometric devices should seek advice from the GCSB.

System Access Control

32. Systems have five main access vulnerabilities to attack:

• users' workstations

• dial-in lines

• interference with communications paths

• connections to public networks such as the Internet

• interfaces with other systems.

33. System vulnerabilities can be reduced by using:

• a carefully designed security architecture incorporating the principles of defence in depth

• physical security for unattended workstations

• encryption and other techniques for communications paths

• approved firewalls, where connections are permitted to public networks

• intrusion-detection systems, used in conjunction with a firewall

• applying strong controls to any operating system access.

34. For specific advice on reducing network vulnerabilities, consult the GCSB.

Firewalls and Border Controls

35. A firewall can control and record access to services from both inside and outside an organisation's private network. The firewall can permit, deny, or redirect the flow of data.

36. For a firewall to function effectively:

• all traffic between the internal and external networks must flow through the firewall

• it must be properly configured, managed, and audited.

37. Firewalls are only approved for systems handling information classified up to RESTRICTED or SENSITIVE. Higher-classified systems must use an air-gap [ Where there is no direct connection between systems, information is passed across an "air-gap" by media such as floppy disks. Formal procedures are required to ensure that only permitted data pass from system to another.] for passing information to systems connected to public networks.

38. Firewalls should be evaluated products (see Chapter 8 paragraphs 86-93).

Approved Circuits

39. An "approved circuit" is a fibre-optic or wire landline, and associated terminal equipment, with electro-magnetic and physical safeguards against unauthorised interception.

40. Approved circuits are usually under close control, reducing risk sufficiently so that higher-classified information may be sent without encryption.

41. GCSB advice should be sought where an approved circuit is being considered.

Wireless Local Area Networks

42. Wireless local area networks (WLANs) have significant vulnerabilities that must be addressed by organisations considering the use of such devices for processing classified official information.

43. Wireless LANs (WLANs) use radio frequency (RF) transmissions instead of cables to connect together computer equipment such as printers and terminals through an Access Point (AP).

44. WLANs are generally compliant with published international standards, but these standards do not in themselves guarantee security. WLANs are vulnerable to a range of attacks and threats, some of which are summarised below:

Confidentiality - Communications between a legitimate mobile device and an AP may be overheard or intercepted by other users.

Authentication - An unauthorised party might gain access to the network using a compliant device and, by emulating an authorised user, access information on the system or provide incorrect or misleading information.

Denial of Services Attacks - Unauthorised users may tie up network resources so normal users do not receive a service.

Interference - WLANs commonly operate in frequency bands set-aside for use by other systems, including industrial, scientific or medical equipment. Other devices operating legitimately in these bands may inadvertently disrupt a WLANs communications.

Cryptography - Cryptographic implementations may in reality provide little security.

45. WLANs processing government-classified information must be appropriately encrypted. Consult GCSB for further advice.

46. Departments should consider privacy and policy issues before permitting WLANs to be used for passing or processing unclassified official information, or before connecting to internal networks.

47. Further advice on the security implications of WLAN services is available from the GCSB.

Application Access Control

Controls should be used to restrict access within application systems. Logical access to software and information should be limited to authorised users. Application system controls should:

• control user access to information and application system functions, according to a defined access-control policy

• prevent unauthorised access to any utility or operating-system software that can override system or application controls

• prevent compromise to the security of other systems with which information resources are shared

• allow access only to the owner of information and other authorised users or groups

• carefully manage any interfaces.

Sensitive System Isolation

49. Particularly sensitive systems may need to run on a dedicated computer, or share resources only with other trusted application systems. The sensitivity of an application system should be clearly identified and documented in the system security policy and security plan.

Monitoring-System Access and Use

50. Systems should be monitored to detect deviation from the access-control policy.

51. Deviations should be recorded, both as evidence and for process enhancement in case of all security incidents.

52. System monitoring should make sure controls are working and that they are appropriate and in accordance with the access-control policy.

Mobile Computing, Teleworking and Homeworking

53. With mobile computing, teleworking and homeworking, consider the risks of:

• compromise at the remote site

• vulnerability to data interception.

54. Since many personal and laptop computers are lost or stolen every year, additional physical protection such as alarms or cable locks may be needed in open or shared environments.

55. Consider media encryption to protect information on computers used outside of a department's physically controlled areas.

56. Remote access to an organisation's network should be configured and managed so that it:

• allows only the specific services needed

• is only available when needed

• can only be used by specific, authenticated users.

57. When transmitting classified information, apply the security measures specified in Chapter 3 Annexes A to F of this manual .

58. Where classified information must be processed on a portable computer in an area where not all personnel are cleared or have a "need to know", position the computer carefully to avoid casual overview.

59. Products for secure access control and hard-disk encryption are recommended for laptops that contain classified information and may be taken outside the organisation. Consult the GCSB for advice on laptop-security products.

60. For more advice on homeworking, see the NZSIS Protective Security Manual.

[ Previous | Next ]