A9 Access Control

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen, 11.5
00:04
a nine Access control
00:08
In this lesson, we will cover an understanding off control set A nine,
00:13
the controls that are contained within this close
00:17
and the supporting documentation that could be used
00:21
in your ice mess audit as evidence to show that these controls are being performed,
00:32
Control said. A nine access control is made up of four different control areas.
00:39
The first one is a 9.1 business requirements.
00:43
This is made up of two controls.
00:46
Thes controls are a 9.1 point one
00:50
the access control policy
00:53
and a 9.1 point two,
00:56
which is access to networks and network services,
01:00
which is basically a control. That means users shall only be provided with access to the network and network services
01:08
that they have been specifically authorized to use.
01:19
The next control area is a 9.2, which is user access management,
01:26
and this is made up of six controls.
01:29
Thes controls are
01:30
a 9.2 point one
01:34
use a registration and de registration.
01:38
I think we're all familiar with this one, and that is just a formal user registration and de registration process
01:45
to enable the assignment off access rights.
01:49
It's basically your process that gives approval for users to gain specific access rights.
01:55
The next control is a 9.2 point two
02:00
user access provisioning,
02:02
which is a formal process
02:06
to assign or revoke access rights for all user types
02:10
for all systems and services.
02:15
A 9.2 point three
02:19
is the management of privileged access rights,
02:23
and this control basically states
02:25
that the allocation and use off privileged access rights, such as your administrative accounts
02:31
as well as any default admin accounts
02:35
shall be restricted and controlled.
02:38
The next control is a 9.2 point four
02:43
the management of secret authentication information off users.
02:47
This basically pertains to controls to ensure that there is a process
02:53
to securely provide users with their passwords
02:57
and ensure that thes passwords are changed after the first time use.
03:06
The next control is a 9.2 point five,
03:09
which is the review off access rights,
03:13
which stipulates that user access rights must be reviewed on a periodic basis.
03:19
This frequency of review can be defined by your organization.
03:24
A 9.2 point six is the removal or adjustment of access rights.
03:31
This is the process to ensure that if the user leaves your organization
03:37
or goes to a different role within your organization,
03:40
that his adjusted that his access rights are adjusted or removed. According me,
03:51
the next control area is a 9.3, which is user responsibilities.
03:57
There is only one control for this control area.
04:00
This pertains to the use off secret authentication information,
04:05
which basically means that users must follow the organization's practices in the use of secret authentication information.
04:15
A practical example of this is ensuring that users understand that they need to follow the secure password policy.
04:23
So when they create new passwords,
04:25
they understand that they need Thio
04:28
ensure that it's complex by including
04:31
capital letters, special characters and so forth.
04:36
The lost control area
04:40
is a 9.4
04:42
system and application access.
04:46
The first control here is a 9.4 point one
04:49
information access restriction,
04:53
which basically means that information
04:56
is restricted and can only be accessed by those with the appropriate authority and authorization to do so.
05:03
A 9.4 point two
05:08
is the control secure login procedures,
05:12
and this just means that you're systems shall enforce secure log on procedures,
05:18
a 9.4 point three
05:21
is a control pertaining to password management systems.
05:28
And this just means that if you implement and use a parcel ad management system
05:32
that this system shall be interactive
05:34
and will ensure quality passwords.
05:38
An example for this is
05:41
a possible involved, like lost cause.
05:47
A 9.4 point four
05:49
is the use off privileged utility programs.
05:54
This control is there to ensure that the use of utility programs that might be capable of overriding system and application controls
06:02
shall be restricted and tightly controlled.
06:05
This is to prevent any malicious software or militias Attackers that might gain access to your systems
06:13
that would use utility programs to elevate privileges
06:17
both vertically and horizontally throughout your systems.
06:25
A 9.4 point five
06:28
is the excess control
06:30
to program source code.
06:32
Naturally,
06:33
source code of any programs that you own
06:36
should be restricted to only authorized personal.
06:43
So some of the documentation that you would have as a result of this course area can include one or more access control policies,
06:51
secure log on and other guidance concerning controlled access to information
06:58
guidelines on password, VPNs, firewalls and so forth.
07:04
Working records from your user Access department,
07:09
which includes your user access request forms and subsequent information off those access requests being fulfilled.
07:20
Details of special arrangements to controlled privileged access accounts.
07:26
For example, if you have any route,
07:28
default, administrator or orderto account,
07:31
as well as the management of privileged functions and utilities,
07:43
any policies, procedures or notes that arise from your periodic or ad hoc user access reviews
07:50
evidence that you have reconciled and reauthorized access rights
07:56
and if any inappropriate access rights were identified, the order to would want to see evidence that this was rectified
08:05
and that the appropriate approval, therefore, was obtained.
08:11
The order to would also most likely want to see your policy and procedure concerning your strong passwords and how these are enforced on your systems.
08:22
Your procedures for restricting access to information and applications
08:26
in line with your classifications and handling rules that were set out
08:31
in control. Area 8.2.
08:39
Any policies Standards procedures concerning multi factor authentication
08:46
or similar arrangements that could be used to strengthen your identification and authentication
08:52
access controls for high risk systems.
08:58
Lastly, any policies, procedures, guidelines and supporting evidence
09:03
which pertains to controlled access to program source code
09:16
in this lesson, we covered the four control areas that make up control, set a nine
09:22
access control.
09:24
We went through the different controls
09:26
contained within this control set,
09:30
and we also looked at some documentation that can be used to support
09:33
thes controls and the effectiveness thereof
09:37
when they are audited, either during your it controls orders
09:41
or your SMS certification and internal orders.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By