3.3.5 Identity and Access Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The Member Organization should restrict access to its information assets in line with their business requirements based on the need-to-have or need-to-know principles.
Objective
To ensure that the Member Organization only provides authorized and sufficient access privileges to approved users.
Control considerations
| 1. | The identity and access management policy, including the responsibilities and accountabilities, should be defined, approved and implemented. | |||||
| 2. | The compliance with the identity and access policy should be monitored. | |||||
| 3. | The effectiveness of the cyber security controls within the identity and access management policy should be measured and periodically evaluated. | |||||
| 4. | The identity and access management policy should include: | |||||
| a. | business requirements for access control (i.e., need-to-have and need-to-know); | |||||
| b. | user access management (e.g., joiners, movers, leavers): | |||||
| 1. | all identified user types should be covered (i.e., internal staff, third parties); | |||||
| 2. | changes of job status or job positions for internal staff (e.g. joiner, mover and leaver) should be instigated by the human resources department; | |||||
| 3. | changes for external staff or third parties should be instigated by the appointed accountable party; | |||||
| 4. | user access requests are formally approved in accordance with business and compliance requirements (i.e., need-to-have and need-to-know to avoid unauthorized access and (un)intended data leakage)); | |||||
| 5. | changes in access rights should be processed in a timely manner; | |||||
| 6. | periodically user access rights and profiles should be reviewed; | |||||
| 7. | an audit trail of submitted, approved and processed user access requests and revocation requests should be established; | |||||
| c. | user access management should be supported by automation; | |||||
| d. | centralization of the identity and access management function; | |||||
| e. | multi-factor authentication for sensitive and critical systems and profiles; | |||||
| f. | privileged and remote access management, which should address: | |||||
| 1. | the allocation and restricted use of privileged and remote access, specifying: | |||||
| a. | multi-factor authentication should be used for all remote access; | |||||
| b. | multi-factor authentication should be used for privilege access on critical systems based on a risk assessment; | |||||
| 2. | the periodic review of users with privileged and remote accounts; | |||||
| 3. | individual accountability; | |||||
| 4. | the use of non-personal privileged accounts, including: | |||||
| a. | limitation and monitoring; | |||||
| b. | confidentiality of passwords; | |||||
| c. | changing passwords frequently and at the end of each session. | |||||