Requirement:
The cybersecurity requirements for identity and access management must include at least the following:
Sub-Controls:
2-2-3-1:
Requirement:
Single-factor authentication based on username and password.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of identity and access management at the organization and must be approved by the representative
- Ensure all employees have a unique identifier, which may be a job number, employee name, or other naming mechanisms to ensure that usernames are unique
- Prepare password standard controls taking into consideration best practices, including but not limited to
- Expiration Period
- Complexity
- Lockout
- Activation
- Password History
- A secure mechanism to create a password and provide it to the user
Expected Deliverables:
- Cybersecurity policy that covers Identity and Access Management (e.g., electronic copy or official hard copy)
- Password management policy in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or system owner or his/her deputy on such policies (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence that the identity and access management controls must be implemented on all technical and information assets in the organization, including but not limited to, the configuration of all technical information systems in line with the cybersecurity controls and requirements of identity and access management
2-2-3-2:
Requirement:
Multi-factor authentication for remote access, defining suitable authentication factors, number of factors and suitable technique based on the result of impact assessment of authentication failure and bypass for remote access.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of identity and access management at the organization and must be approved by the representative
- Develop procedures for remote access with Multi-Factor Authentication
- Provide appropriate and advanced multi-factor authentication techniques and link them to remote access technologies (e.g., VPN) must be ensured
- Use two of the following authentication elements to apply multi-factor authentication
- Something you know, e.g., using the password
- Something you have, e.g., using One time password through SMS or applications
- Something you are, e.g., using biometrics such as fingerprint or face recognition
Expected Deliverables:
- Cybersecurity policy that covers Identity and Access Management (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on the policy (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence that outlines the implementation of multi-factor authentication requirements to remote access, including but not limited to a screenshot showing the configuration of systems to ensure that the multi-factor authentication request for remote access is verified
2-2-3-3:
Requirement:
User authorization based on identity and access control principles: Need-to-Know and Need-to-Use, Least Privilege and Segregation of Duties.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of identity and access management at the organization and must be approved by the representative
- Define basic authorizations for all organization's employees, such as the authority to use email, internal portal, and human resources system
- Define and document the requirements of this ECC in the cybersecurity requirements of identity and access management at the organization and must be approved by the representative.
- Manage user authorization to all information and technology assets in the organization via an automated centralized access control system such as Active Directory
- Develop and adopt specific procedures for granting powers to employees in the organization, as there are requirements to request authority, including
- Applicant information (identity)
- Details of the authority in question (explanation of authority and assets involved)
- Description of Business Requirements for authorization
- Time required for authorization
- Approvals required (e.g., Line Manager approval)
Expected Deliverables:
- Cybersecurity policy that covers Identity and Access Management (e.g., electronic copy or official hard copy)
- Evidence that outlines the implementation of User authorization management requirements, including but not limited to a screenshot showing the configuration of systems to ensure the implementation of user authorization management based on a Need to Know and Need to Use basis and least privilege and Segregation of Duties
2-2-3-4:
Requirement:
Privileged access management.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of identity and access management at the organization and must be approved by the representative
- Define privileged access at the level of infrastructure, networks, and applications in the organization
- Identify Personnel with Privileged Access
- Develop Privileged Access Management procedures by the organization, taking into account the following
- Privileged accounts must not be used for normal daily tasks, and a normal user account must be used for this purpose
- Privileged accounts must not be used for internet access
- Privileged accounts must not be used for email access
- Privileged accounts must not be restricted for remote access
- Default accounts must be disabled/deleted
- Workstation protection system must be installed and updated on the workstation that will be used to access privileged accounts
- Secure versions of operating systems used in the organization must be built and prepared in a secure manner
- Protection programs must be installed and unused services must be disabled. These copies must be used to configure desktops and servers
- Define modern and advanced technologies and mechanisms for the Privileged Access Management
- Grant privileged access based on functional duties after obtaining the necessary approvals, taking into consideration the principle of segregation of duties
- Continuously monitor cybersecurity event logs for privileged accounts
Expected Deliverables:
- Privileged Access Management Policy in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on the policy (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence that outlines the implementation of privileged access management requirements, including but not limited to a screenshot showing the configuration of systems to ensure that administrators are granted privileged access
Periodic review of users’ identities and access rights.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of identity and access management at the organization and must be approved by the representative
- Define privileged access at the level of infrastructure, networks, and applications in the organization
- Identify Personnel with Privileged Access
- Develop a plan for periodic review of identity and access as follows
- Across all applications in the organization
- Network level
- Infrastructure and servers level
- Workstations level
- Review authorities in collaboration with IT department and application managers to revoke access in the following cases (e.g., limited to)
- Access has not been used for a long period of time (e.g., over 3 months)
- Access causes conflict of interest
- The employee's need for access has not been confirmed by his manager
- Expiry of the access period
Expected Deliverables:
- Privileged Access Management Policy in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on the policy (e.g., via the organization's official e-mail, paper or electronic signature)
- Evidence that outlines the implementation of periodic review requirements of identity and access, e.g., an official and approved document that clarifies the periodic review of the identity and access
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.