Meeting Industry Standards in Access Control Security
We understand the importance of industry standards in access control security. In today’s digital age, businesses face ever-evolving threats to their sensitive data and physical assets. That’s why implementing robust access control systems that comply with industry standards is essential to safeguarding your organization.
Industry standards serve as a benchmark for best practices in access control security, providing guidelines and frameworks that enable businesses to establish effective security measures. These standards address various aspects of access control, ranging from physical barriers to logical network restrictions.
Our team
of experts specializes in implementing access control systems that align with
industry standards, ensuring your business meets the highest security
requirements. By partnering with us, you can enhance your organization’s
overall security posture and gain peace of mind, knowing that your access
control systems are top-notch.
Join the ranks of leading organizations that prioritize access control security by implementing industry-standard solutions. Contact us today to discuss how we can help you achieve the highest levels of protection for your business.
Please be aware that as of October 2022, ISO 27001:2013 was revised and is now known as ISO 27001:2022. Please see the full revised ISO 27001 Annex A Controls to see the most up-to-date information.
Understanding
Access Control Systems
Access control systems are an essential component of modern security solutions. These systems are designed to manage and regulate access to physical and digital spaces, ensuring that only authorized individuals or entities can gain entry. Access control systems are categorized into two main types: physical access control and logical access control.
Physical
Access Control
Physical access control encompasses measures that restrict access to buildings, facilities, and physical assets. It involves the use of various security mechanisms such as key cards, biometric authentication, and surveillance systems to grant or deny entry. Physical access control is particularly crucial in environments where sensitive information, valuable assets, or restricted areas need to be protected.
Logical
Access Control
Logical
access control focuses on securing digital resources such as computer networks,
databases, and software systems. It involves implementing authentication
methods, encryption protocols, and user permissions to control and monitor
access to sensitive data and functions. Logical access control ensures that
only authorized users can establish connections and interact with digital
resources, preventing unauthorized access and potential data breaches.
Types of
access control systems are designed to meet specific security requirements.
Some common types include:
·
Role-Based
Access Control (RBAC): This approach assigns permissions and privileges based
on predefined roles and responsibilities within an organization.
·
Discretionary
Access Control (DAC): DAC allows data owners to determine access permissions,
granting or revoking access as required.
·
Mandatory
Access Control (MAC): MAC enforces access control policies based on
classification levels or security clearances.
·
Biometric
Access Control: This type of access control system relies on unique
physiological or behavioral characteristics, such as fingerprints or facial
recognition, for authentication.
Understanding the different types of access control systems is crucial for businesses and organizations to implement robust security measures. By combining physical and logical access control, businesses can create a comprehensive security framework that safeguards their assets, networks, and sensitive information.
Benefits
of Access Control Systems
Access
control systems offer numerous benefits to businesses, providing enhanced
security and peace of mind. Here are some of the advantages that come with
implementing such systems:
- Real-Time
Reporting: Access control systems provide instant access to
statistics, analytics, and tracking information. This real-time reporting
allows businesses to monitor and locate individuals or assets across
multiple locations effortlessly.
- Instant
Alerts: With access control systems, businesses can receive
immediate alerts for any suspicious activity. This enables them to take
prompt and targeted action, mitigating potential threats and ensuring the
safety of employees and assets.
- Time-Stamping
Activities: Access control systems enable businesses to
time-stamp activities. This valuable information serves as a reference
point for future investigations or auditing purposes, helping to maintain
accountability and support legal compliance.
- Efficient
Remote Unlocking: Access control systems facilitate remote
unlocking of doors, allowing authorized personnel to grant access to
specific areas without the need for physical presence. This feature
enhances convenience, especially in situations where immediate access is
required.
- Secure
Digital Key Cards: Access control systems utilize digital key
cards, which are more secure and convenient compared to traditional keys.
These cards can be easily issued or revoked, minimizing the risk of
unauthorized access and eliminating the need for physical locks to be
changed.
By leveraging the benefits of access control systems, businesses can improve their security measures, streamline operations, and protect sensitive information and valuable assets effectively.
Customizable
and User-Friendly Access Control Systems
When it comes to access control systems, customization is key. Businesses have unique security needs, and access control systems can be tailored to address those specific requirements. Whether it’s the size of the organization, the nature of the operations, or the desired level of security, customizable access control systems can be configured to provide the ideal solution.
One of the advantages of customizable access control systems is their ability to integrate with third-party programs and technologies. This integration enhances the functionality of the system and allows for seamless collaboration with existing security infrastructure. Whether it’s integrating with surveillance cameras, biometric authentication systems, or other security applications, businesses can create a comprehensive security ecosystem with their customizable access control system.
In
addition to customization, user-friendly features are crucial for the efficient
operation of access control systems. With instant updates, these systems can
ensure that the latest security protocols are implemented promptly and
efficiently. Automatic maintenance minimizes downtime and optimizes system
performance, while remote tech support provides quick assistance whenever
issues arise. These user-friendly features not only make the system more
convenient for users but also reduce the workload for system administrators.
ISO 27001 is an internationally recognized standard that sets out the requirements for an information security management system (ISMS). This standard specifies the framework for implementing, maintaining, and improving information security policies and procedures, including all legal, physical, and technical controls involved in managing an organization's information security risk.
ISO
27001:2022 Annex A.9 is all about access control procedures. The aim of Annex
A.9 is to safeguard access to information and ensure that employees can only
view information that’s relevant to their work. This guide will take you
through everything you need to know about Annex A.9.
Annex A.9 is divided into four sections and you will need to work through each one. They are Access Controls, User Access Management, User Responsibilities and Application Access Controls.
What
is the objective of Annex A.9.1?
ISO 27001:2022 Annex A.9.1 is about business requirements of access control. The objective in this Annex A control is to limit access to information and information processing facilities.
It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification. Lets understand those requirements and what they mean in a bit more depth.
A.9.1.1
Access Control Policy
An access control policy must be established, documented and reviewed regularly taking into account the requirements of the business for the assets in scope.
Access control rules, rights and restrictions along with the depth of the controls used should reflect the information security risks around the information and the organisation’s appetite for managing them. Put simply access control is about who needs to know, who needs to use and how much they get access to.
Access
controls can be digital and physical in nature, e.g. permission restrictions on
user accounts as well as limitations on who can access certain physical
locations (aligned with Annex A.11 Physical and Environment Security). The
policy should take into account:
·
Security
requirements of business applications and align with the information
classification scheme in use as per A.8 Asset Management;
·
Clarify
who needs to access, know, who needs to use the information – supported by
documented procedures and responsibilities;
·
Management
of the access rights and privileged access rights (more power – see below)
including adding, in life changes (e.g. super users/administrators controls)
and periodic reviews (e.g. by regular internal audits in line with requirement
9.2.
·
Access
control rules should be supported by formal procedures and defined
responsibilities;
Access control needs to be reviewed based on change in roles and in particular during exit, to align with Annex A.7 Human Resource Security.
A.9.1.2
Access to Networks and Network Services
The principle of least access is the general approach favoured for protection, rather than unlimited access and superuser rights without careful consideration.
As such
users should only get access to the network and network services they need to
use or know about for their job. The policy therefore needs to address; The
networks and network services in scope for access; Authorisation procedures for
showing who (role based) is allowed to access to what and when; and Management
controls and procedures to prevent access and monitor it in life.
This also
needs to be considered during onboarding and offboarding, and is closely
related to the access control policy itself.
What
is the objective of Annex A.9.2?
ISO 27001:2022 Annex A.9.2 is about user access management. The objective in this Annex A control is to ensure users are authorised to access systems and services as well as prevent unauthorised access.
A.9.2.1
User Registration and Deregistration
A formal user registration and deregistration process needs to be implemented. A good process for user ID management includes being able to associate individual IDs to real people, and limit shared access IDs, which should be approved and recorded where done.
A good on-boarding and exit process ties in with A7 Human Resource Security to show quick and clear registration/deregistration along with avoidance of reissuing old IDs. A regular review of ID’s will illustrate good control and reinforces ongoing management.
That can be tied in with the internal audits noted above for access control audits, and periodic reviews by the information asset or processing application owners.
A.9.2.2
User Access Provisioning
A process (however simple and documented) must be implemented to assign or revoke access rights for all user types to all systems and services. Done well it ties in with the points above as well as the broader HR Security work.
Provisioning and revoking process should include; Authorisation from the owner of the information system or service for the use of the information system or service; Verifying that the access granted is relevant to the role being done; and protecting against provisioning being done before authorisation is complete.
User access should always be business led and access based around the requirements of the business. This might sound bureaucratic but it doesn’t need to be and effective simple procedures with role based access by systems and services can address it.
A.9.2.3
Management of Privileged Access Rights
A.9.2.3 is about managing usually more powerful and higher ‘privileged’ levels of access e.g. systems administration permissions versus normal user rights.
The allocation and use of privileged access rights has to be tightly controlled given the extra rights usually conveyed over information assets and the systems controlling them. For example the ability to delete work or fundamentally affect the integrity of the information. It should align with the formal authorisation processes alongside the access control policy.
That could include; system by system clarity on privileged access rights (which can be managed inside the application); allocation on a need-to-use basis not a blanket approach; A process and record of all privileges allocated should be maintained (alongside the information asset inventory or as part of the A.9 evidence; and the competence of users granted the rights must be reviewed regularly to align with their duties.
This is
another good area to include in the internal audit to demonstrate control.
One of the biggest contributory factors to failures or breaches of systems is inappropriate and blanket use of system administration privileges with human error leading to more damage or loss than if a ‘least access’ approach were taken.
Other good practice relating to this area includes the separation of the systems administrator role from the day to day user role and having a user with two accounts if they perform different jobs on the same platform.
A.9.2.4
Management of Secret Authentication Information of Users
Secret authentication information is a gateway to access valuable assets. It typically includes passwords, encryption keys etc. so needs to be controlled through a formal management process and needs to be kept confidential to the user.
This is usually tied into employment contracts and disciplinary processes (A.7) and supplier obligations (A13.2.4 and A.15) if sharing with external parties.
Procedures should be established to verify the identity of a user prior to providing new, replacement or temporary secret authentication information. Any default secret authentication information provided as part of a new system use should be changed as soon as possible.
A.9.2.5
Review of User Access Rights
Asset owners must review users’ access rights at regular intervals, both around individual change (on-boarding, change of role and exit) as well broader audits of the systems access.
Authorisations for privileged access rights should be reviewed at more frequent intervals given their higher risk nature. This ties in with 9.2 for internal audits and should be done at least annually or when major changes take place.
A.9.2.6
Removal or Adjustment of Access Rights
As outlined above access rights of all employees and external party users to information and information processing facilities need to be removed upon termination of their employment, contract or agreement, (or adjusted upon change of role if required).
A good exit policy and procedures dovetailed in with A.7 will also ensure this is achieved and demonstrated for audit purposes when people leave.
What
is the objective of Annex A.9.3?
Annex A.9.3 is about user responsibilities. The objective in this Annex A control is to make users accountable for safeguarding their authentication information.
A.9.3.1
Use of Secret Authentication Information
This is simply about making sure that users follow the policies and will therefore tie in with A7 Human Resource Security for contracts, user education for awareness and compliance, as well as common sense practices.
These include: Keep any secret authentication information confidential; Avoid keeping a record of it that can be accessed by unauthorised parties; Change it whenever there is any suggestion of possible compromise; select quality passwords with sufficient minimum length and strength to follow broader password policy controls in Annex A.9.4.
What
is the objective of Annex A.9.4?
Annex A.9.4 is about system and application access control. The objective in this Annex A control is to prevent unauthorised access to systems and applications.
A.9.4.1
Information Access Restriction
Access to
information and application system functions must be tied into the access
control policy. Key considerations should include:
These
include:
·
Role-based
access control (RBAC);
·
Levels
of access;
·
Design
of “menu” systems within applications;
·
Read,
write, delete and execute permissions;
·
Limiting
output of information; and
·
Physical
and/or logical access controls to sensitive applications, data and systems.
The auditor will check to see that considerations have been made for limiting access within systems and applications that support access control policies, business requirements, risk levels and segregation of duties.
A.9.4.2
Secure log-on Procedures
Access to systems and applications must be controlled by a secure log-on procedure to prove the identity of the user.
This can go beyond the typical password approach into multi-factor authentication, biometrics, smart cards, and other means of encryption based on the risk being considered.
Secure log on should be designed so it cannot be easily circumvented and that any authentication information is transmitted and stored encrypted to prevent interception and misuse.
ISO 27002
guidance is significant around this topic, as are specialist bodies like the
National Cyber Security Centre (NCSC). Additional tips include:
·
Log-on
procedures should be designed so that they cannot be easily circumvented and
that any authentication information is transmitted and stored encrypted to
prevent interception and misuse.
·
Log-on
procedures should also include a display stating that access is for authorised
users only. This is designed to support cybersecurity legislation such as the
·
Computer
Misuse Act 1990 (UK).
·
Both
a successful and unsuccessful log-on and log-off should be logged in a secure
manner to provide forensic evidential ability and alerts for unsuccessful
attempts and possible lock-outs should be considered.
·
Depending
on the nature of the system access should be restricted to certain times of day
or periods of time and potentially even be restricted according to location.
In practice, the business needs and information at risk should drive the log on and log off procedures. It is not worth having 25 steps to log on, then have rapid time outs etc if staff are then unable to do their job well and spend a disproportionate amount of time in this loop.
A.9.4.3
Password Management System
The purpose of a password management system is to ensure quality passwords meet the required level and are consistently applied.
Password generation and management systems provide a good way of centralising the provisioning of access and they serve to reduce the risk of people using the same login for everything, as illustrated in this little story of what happens when a customer contacts our team about a forgotten password!
As with any control mechanism, password generation and management systems need to be carefully implemented to ensure adequate and proportionate levels of protection.
Wherever
possible users should be able to choose their own passwords as this makes them
easier to remember than machine-generated ones, however, it needs to be up to a
certain level of strength.
There are lots of conflicting views on password management systems and password policies so we encourage organisations to look at the frequently changing best practices and adopt approaches based on the risk appetite and culture of the organisation.
As mentioned above, NCSC is a good place to review the latest practices or simply ask us to introduce you to one of our partners for help.
A.9.4.4
Use of Privileged Utility Programmes
Utility computer programmes that might be capable of overriding system and application controls need to be carefully managed.
Powerful system and network utility programs can create an attractive target for malicious attackers and access to them must be restricted to the smallest number of people. As such utility programmes can be easily located and downloaded from the internet it is also important that users are restricted in their ability to install any software as much as possible weighed against business requirements and risk assessment. Use of utility programmes should be logged and monitored/reviewed periodically to satisfy auditor requests.
A.9.4.5
Access Control to Program Source Code
Access to program source code must be restricted. Access to program source code and associated items (such as designs, specifications, verification plans and validation plans) should be strictly controlled.
Programme
source code can be vulnerable to attack if not adequately protected and can
provide an attacker with a good means to compromise systems in an often covert
manner. If the source code is central to the business success it’s loss can
also destroy the business value quickly too.
Controls
should include consideration for:-
·
As
few people as possible having access
·
Keeping
source code off operational systems (only compiled code)
·
Access
to source code being as restricted as possible (deny-by-default)
·
Access
to source code being logged and the logs periodically reviewed
·
Strong
and strict change control procedures
· Frequent audits and reviews
Reference:
Mr. Mathias Werner guideline. He is resident access
control expert.
https://www.isms.online/iso-27001/annex-a-9-access-control/
Mr. Ravi Sindhujan, he is Consultant of Information Security, Entrepreneur