7 hours 52 minutes
a nine Access control
In this lesson, we will cover an understanding off control set A nine,
the controls that are contained within this close
and the supporting documentation that could be used
in your ice mess audit as evidence to show that these controls are being performed,
Control said. A nine access control is made up of four different control areas.
The first one is a 9.1 business requirements.
This is made up of two controls.
Thes controls are a 9.1 point one
the access control policy
and a 9.1 point two,
which is access to networks and network services,
which is basically a control. That means users shall only be provided with access to the network and network services
that they have been specifically authorized to use.
The next control area is a 9.2, which is user access management,
and this is made up of six controls.
Thes controls are
a 9.2 point one
use a registration and de registration.
I think we're all familiar with this one, and that is just a formal user registration and de registration process
to enable the assignment off access rights.
It's basically your process that gives approval for users to gain specific access rights.
The next control is a 9.2 point two
user access provisioning,
which is a formal process
to assign or revoke access rights for all user types
for all systems and services.
A 9.2 point three
is the management of privileged access rights,
and this control basically states
that the allocation and use off privileged access rights, such as your administrative accounts
as well as any default admin accounts
shall be restricted and controlled.
The next control is a 9.2 point four
the management of secret authentication information off users.
This basically pertains to controls to ensure that there is a process
to securely provide users with their passwords
and ensure that thes passwords are changed after the first time use.
The next control is a 9.2 point five,
which is the review off access rights,
which stipulates that user access rights must be reviewed on a periodic basis.
This frequency of review can be defined by your organization.
A 9.2 point six is the removal or adjustment of access rights.
This is the process to ensure that if the user leaves your organization
or goes to a different role within your organization,
that his adjusted that his access rights are adjusted or removed. According me,
the next control area is a 9.3, which is user responsibilities.
There is only one control for this control area.
This pertains to the use off secret authentication information,
which basically means that users must follow the organization's practices in the use of secret authentication information.
A practical example of this is ensuring that users understand that they need to follow the secure password policy.
So when they create new passwords,
they understand that they need Thio
ensure that it's complex by including
capital letters, special characters and so forth.
The lost control area
is a 9.4
system and application access.
The first control here is a 9.4 point one
information access restriction,
which basically means that information
is restricted and can only be accessed by those with the appropriate authority and authorization to do so.
A 9.4 point two
is the control secure login procedures,
and this just means that you're systems shall enforce secure log on procedures,
a 9.4 point three
is a control pertaining to password management systems.
And this just means that if you implement and use a parcel ad management system
that this system shall be interactive
and will ensure quality passwords.
An example for this is
a possible involved, like lost cause.
A 9.4 point four
is the use off privileged utility programs.
This control is there to ensure that the use of utility programs that might be capable of overriding system and application controls
shall be restricted and tightly controlled.
This is to prevent any malicious software or militias Attackers that might gain access to your systems
that would use utility programs to elevate privileges
both vertically and horizontally throughout your systems.
A 9.4 point five
is the excess control
to program source code.
source code of any programs that you own
should be restricted to only authorized personal.
So some of the documentation that you would have as a result of this course area can include one or more access control policies,
secure log on and other guidance concerning controlled access to information
guidelines on password, VPNs, firewalls and so forth.
Working records from your user Access department,
which includes your user access request forms and subsequent information off those access requests being fulfilled.
Details of special arrangements to controlled privileged access accounts.
For example, if you have any route,
default, administrator or orderto account,
as well as the management of privileged functions and utilities,
any policies, procedures or notes that arise from your periodic or ad hoc user access reviews
evidence that you have reconciled and reauthorized access rights
and if any inappropriate access rights were identified, the order to would want to see evidence that this was rectified
and that the appropriate approval, therefore, was obtained.
The order to would also most likely want to see your policy and procedure concerning your strong passwords and how these are enforced on your systems.
Your procedures for restricting access to information and applications
in line with your classifications and handling rules that were set out
in control. Area 8.2.
Any policies Standards procedures concerning multi factor authentication
or similar arrangements that could be used to strengthen your identification and authentication
access controls for high risk systems.
Lastly, any policies, procedures, guidelines and supporting evidence
which pertains to controlled access to program source code
in this lesson, we covered the four control areas that make up control, set a nine
We went through the different controls
contained within this control set,
and we also looked at some documentation that can be used to support
thes controls and the effectiveness thereof
when they are audited, either during your it controls orders
or your SMS certification and internal orders.