Identification & Authentication Controls

Purpose

Bramble has implemented the concept of “least privilege” through limiting access to the organization’s systems and data to authorized users only.

Scope

This control applies to any system or service where user accounts can be provisioned.

Ownership

The owner of this control is IT Operations and People Operations.

Controls

Control Number Control Title Control Statement Goal TOD TOE
IAC-01 Identity & Access Management (IAM) Bramble Group Corp. has implemented mechanisms to facilitate the identification and access management security controls. Does the organization facilitate the implementation of identification and access management controls? 1. Identify policies, procedures, information security program or other relevant documents that identify and outline access management and access control.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the identification and management of access and access control.

3. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements.
1. Examine policies, procedures, information security program or other relevant documents for evidence that the procedures facilitate implementation of access management over security software, infrastructure, architectures and they relate to access management security controls.
IAC-02 Identification & Authentication for Organizational Users Bramble Group Corp. has implemented mechanisms to uniquely identify and authenticate organizational users and processes acting on behalf of organizational users. Does the organization uniquely identify and authenticate organizational users and processes acting on behalf of organizational users? 1. Identify policies, procedures, the information security program or other relevant documents that identify and outline unique identifier requirements and logical and physical access requirements for systems that authenticate organizational users. Including but not limited to the following accounts: Individual Shared Group Temporary System. 1. Pull a population of all system user accounts for evidence that unique identifiers and access rights are being applied according to documentation identified in the ToD.
IAC-03 Identification & Authentication for Non-Organizational Users Bramble Group Corp. has implemented mechanisms to uniquely identify and authenticate third-party users and processes that provide services to the organization. Does the organization uniquely identify and authenticate third-party users and processes that provide services to the organization? 1. Identify policies, procedures, the information security program or other relevant documents that identify and outline third party users identification, authentication and logical and physical access requirements for systems that provide services to the organization. Including but not limited to to following accounts: Individual Shared Group Temporary System. 1. Pull a population of all third party user accounts for evidence that unique identifiers and access rights are being applied according to documentation identified in the ToD.
IAC-04 Identification & Authentication for Devices Bramble Group Corp. has implemented mechanisms to uniquely identify and authenticate devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant. Does the organization uniquely identify and authenticate devices before establishing a connection? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline identification and authentication procedures addressing the enforcement of bidirectional authentication that is cryptographically based and replay resistant.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of identification and authentication procedures as they relate to cryptography and/or encryption.
1. Pull a population of all devices that authenticate to the system.

2. Examine current configuration settings for devices that identify and authenticate to the system evidencing the automated mechanisms identified in are configured as outlined in the ToD.

3. Examine a sample set of devices, their automated mechanisms and configuration settings for evidence these mechanisms are operating as intended.
IAC-05 Identification & Authentication for Third Party Systems & Services Bramble Group Corp. has implemented mechanisms to identify and authenticate third-party systems and services. Does the organization identify and authenticate third-party systems and services? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline identification and authentication procedures for third party systems and services.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of identification and authentication procedures as they relate to third party systems and services.
1. Pull a population of all third party systems and services that authenticate to the system.

2. Examine current configuration settings for devices that identify and authenticate to the system evidencing the automated mechanisms identified are configured as outlined in the ToD.

3. Examine a sample set of devices, their automated mechanisms and configuration settings for evidence these mechanisms are operating as intended.
IAC-06 Multi-Factor Authentication (MFA) Bramble Group Corp. has implemented automated mechanisms to enforce Multi-Factor Authentication (MFA) for: ▪ Remote network access; and/ or ▪ Non-console access to critical systems or systems that store, transmit and/or process sensitive data. Does the organization require Multi-Factor Authentication (MFA) for remote network access? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline Multi-Factor Authentication (MFA) for remote work access and/or non-console access to critical systems that store, transmit and/or process sensitive data.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of MFA for remote work access and/or non-console access to critical systems that store, transmit, and/or process sensitive data.
1. Pull a population of all devices that connect to the system for remote network access and/or non-console access if the system stores, transmits and/or processes sensitive data.

2. Examine current configuration settings for devices that identify and authenticate to the system evidencing the automated mechanisms for MFA are configured as outlined in the ToD.

3. Examine a sample set of devices, their automated mechanisms and MFA configuration settings for evidence these mechanisms are operating as intended.
IAC-07 User Provisioning & De-Provisioning Bramble Group Corp. has implemented mechanisms to utilize a formal user registration and de-registration process that governs the assignment of access rights Does the organization utilize a formal user registration and de-registration process that governs the assignment of access rights? Provisioning: 1. Inquire of appropriate personnel to determine the process for provisioning access to the system.

2. Inspect a sample provisioning request or provisioning policy to determine the process for provisioning access to the system.
1. Obtain and inspect a listing of all system accounts and associated roles created during the period.

2. Obtain and inspect a listing of all new hired employees during the period (Note 1).

3. Select an annualized sample based on the population of newly provisioned accounts/roles to the system to determine if they were provisioned appropriately. (NOTE: If the system does not contain a field such as “created date” a population of provisioned accounts can be determined by comparing a user listing from prior to the period start with the current listing OR comparing the current user listing to the list of new hired team members).

4. For the selected sample, obtain and inspect evidence (i.e Bramble issues) that all of the account access granted was the account access requested.

5. For the selected sample, obtain and inspect evidence (i.e Bramble issues) that all of the account access granted was approved by the appropriate personnel.

6. For the selected sample, obtain and inspect evidence (i.e Bramble issues) that the account access granted was approved prior to being provisioned.


IAC-07.1 Change of Roles & Duties RBramble Group Corp. has implemented mechanisms to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted. Does the organization revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline the revocation of user access rights following a change in personnel roles and duties if no longer necessary or permitted.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of user access right revocation following a change in personnel roles and duties if no longer necessary or permitted.
1. Pull a population of all users that changed roles or duties within the examination period.

2. Examine user access after role or duty change for evidence that access rights were configured as outlined in the ToD.

3. Examine a sample set of users pre and post access after a role or duty change for evidence access rights were configured or removed as outlined in the ToD.
IAC-08 Role-Based Access Control (RBAC) Bramble Group Corp. has implemented mechanisms to enforce a Role-Based Access Control (RBAC) policy over users and resources that applies need-to-know and fine-grained access control for sensitive data access. Does the organization enforce a Role-Based Access Control (RBAC) policy over users and resources? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline the Role-Based Access Control (RBAC) process as it applies to resources and users with access to sensitive data.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of the RBAC process.
1. Pull a population of all users with access to the sensitive data within the system.

2. Examine user access for evidence RBAC was configured as outlined in the ToD.

3. Examine a sample set of users for evidence that RBAC access rights were configured outlined in the ToD.
IAC-09 Identifier Management (User Names) Bramble Group Corp. has implemented mechanisms to govern naming standards for usernames and systems to ensure proper user identification management for non-consumer users and administrators. Does the organization govern naming standards for usernames and systems? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline the naming standards for user names and systems to ensure proper user identification management for non-consumers users and administrators. Including but not limited to the following accounts: Individual Shared Group Temporary System.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of naming standards for user names and systems to ensure proper user identification management for non-consumers users and administrators.
1. Pull a population of all system users for evidence that naming standards for user names and systems were configured per ToD.
IAC-10 Authenticator Management (Passwords) Bramble Group Corp. has implemented mechanisms to securely manage passwords for users and devices ensuring vendor-supplied defaults are changed as part of the installation process. Does the organization securely manage passwords for users and devices? 1. Inquire of appropriate personnel to determine the process for authentication to the system and the parameters in place.

2. Inspect the password policy and system configuration to determine if the system is configured in accordance with the password policy.
1. Obtain and inspect the system configuration and password policy to determine if the system is configured in accordance with the password policy. In case of differences, obtain the documented exemption to the policy.

2. Validate default passwords for system accounts have been changed in line with the password policy.
IAC-15 Account Management Bramble Group Corp. has implemented mechanisms to proactively govern account management of individual, group, system, application, guest and temporary accounts. Does the organization proactively govern account management of individual, group, system, application, guest and temporary accounts? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline measures to be employed to proactively govern account management of individuals, group, system, application, guest and temporary accounts. Including but not limited to: Identifying account type Establishing conditions for group membership Identifying authorized users and specified access privileges Requiring approvals Establishing processes for activation, monitoring, disabling, removing accounts Authorizing and monitoring guest/temporary accounts Notifying managers when temporary accounts are no longer required Deactivating temporary accounts Granting access to system based on: valid access authorization, intended system usage, other attributes as required by Bramble.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the facilitation of account management governance for individuals, group, system, application, guest and temporary accounts.
1. Examine account management records or other relevant records for evidence of the governance of account management as outlined in the ToD.

2. Pull a population of all users with access to the system.

3. Examine user access for evidence that access was proactively governed as outlined in the ToD.

4. Examine a sample set of users for evidence that access was proactively governed as outlined in the ToD.
IAC-16 Privileged Account Management (PAM) Bramble Group Corp. has implemented mechanisms to restrict and control privileged access rights for users and services. Does the organization restrict and control privileged access rights for users and services? 1. Inquire of appropriate personnel to determine what access is considered administrative in nature and who should be granted administrative access to the system.

2. Inspect (user/role/privilege listing, user guide, other evidence) to determine which roles grant the user administrative access to the system.
1. Obtain and inspect a listing of all accounts (user/system/service) for the system and their associated roles/privileges. Filter the listing for those roles/privileges with administrative access.

2. Obtain and inspect a listing of all current team members and their associated job title/roles.

3. Obtain and inspect a listing of all new hired team members during the period under audit.

4. Obtain and inspect a listing of all terminated team members.

5. For 100% of the administrative accounts, determine the owner and their role/job title/account purpose for having the administrative access.

6. For 100% of the accounts with administrator privileges, determine if the account is owned by a terminated user.

7. For 100% of the accounts with administrator privileges, determine if the account is owned by a user provisioned the access during the period under audit. If so, obtain evidence that the user was approved for the access prior to granting the access.

8. For all administrative accounts, determine whether the administrative access is appropriate.
IAC-17 Periodic Review Bramble Group Corp. has implemented mechanisms to periodically review the privileges assigned to users to validate the need for such privileges; and reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. Does the organization periodically review the privileges assigned to users to validate the need for such privileges; and reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs? 1. Inquire of appropriate personnel to determine the process for reviewing user access to the system.

2. Inspect (a sample user access review, policy etc.) to determine the process for reviewing user access to the system.
1. Obtain and inspect the completed user access review and supporting documentation.

2. Validate the system user listing used in review was validated for completeness and accuracy and all relevant users were present for review.

3. Validate all other system listings used in review were validated for completeness and accuracy.

4. Validate 100% of users were reviewed for appropriateness.

5. Validate 100% of users were reviewed by appropriate personnel and signoff was captured (Note 1).

6. Validate no users reviewed their own access.

7. Validate no terminated users were identified during the review (Note 2).

8. For all users where access was requested to be modified/removed, validate a rationale was provided and a lookback was completed as appropriate (Note 4) (Note 5).

9. Validate requests for access modification were modified as requested (Note 3) (Note 5).

10. For all users where access was not flagged for modification, validate a rationale was provided (Note 6)

11. Select a sample of users whose access was deemed appropriate and validate that their access appears appropriate (Note 7).
IAC-20 Access Enforcement Bramble Group Corp. has implemented mechanisms to enforce logical access permissions through the principle of “least privilege.” Does the organization enforce logical access permissions through the principle of “least privilege?” 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline logical access permission enforcement through the principal of “least privilege”.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the enforcement of logical access permissions.
1. Pull a population of all users with access to the system.

2. Examine user access for evidence access was configured, granted and enforced through the principal of “least privilege” as outlined in the ToD.

3. Examine a sample set of users for evidence access was configured, granted and enforced through the principal of “least privilege” as outlined in the ToD.
IAC-21 Least Privilege Bramble Group Corp. has implemented mechanisms to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions. Does the organization utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions? 1. Examine policies, procedures, the information security program or other relevant documents that identify and outline how the concept of least privilege is applied to only allow authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the concept of least privilege is applied to only allow authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.
1. Pull a population of all users with access to the system.

2. Examine user access for evidence access was configured, granted and enforced through the concept of “least privilege” as outlined in the ToD.

3. Examine a sample set of users for evidence access was configured, granted and enforced through the concept of “least privilege” as outlined in the ToD.
IAC-22 Account Lockout Bramble Group Corp. has implemented mechanisms to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded. Does the organization enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded? 1. Examine policies, procedures, the information security program or other relevant documents that identify and address account lockout mechanisms including but not limited to: Limit on consecutive login attempts by a user during an organization-defined time period Automatically locks the account when max number of unsuccessful attempts is exceeded.

2. Examine documents describing current configuration settings of the automated mechanisms identified for evidence that these mechanisms are configured as defined.
1. Examine current configuration settings in the system of the automated mechanisms identified for evidence that these mechanisms are configured as defined.

2. Test the configuration for evidence that automated mechanisms are operating as intended.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference