ISO-27001-Annex-A.9.2.3 Management-of-Privileged-Access-Rights

ISO 27001 Annex : A.9.2.3 Management of Privileged Access Rights & A.9.2.4 Management of Secret Authentication Information of Users

ISO 27001 Annex : A.9.2.3 Management of Privileged Access Rights & A.9.2.4 Management of Secret Authentication Information of Users these two topic is explained in this article.

A.9.2.3 Management of Privileged Access Rights

Control- A.9.2.3 Management of Privileged Access Rights The allocation and usage of exclusive access privileges will be limited and controlled.

Implementation guidance- A structured authorizing procedure in accordance with the appropriate access management policies should monitor the allocation and usage of delegated access privileges.

Following steps should be taken into consideration:

  1. The privileges of access associated with each system or process, e.g. The operating system, the database management system and each application and the users to whom they need to be assigned should be identified;
  2. Preferential access privileges would be assigned to users on a need-to-use basis and on an event-to-event basis in accordance with the Access Management Policy, i.e. based on the necessary criteria for their functional roles.
  3. The authorization and the record of all assigned privileges should be maintained. Privileged access should not be issued until the authorization process has been completed;
  4. The conditions for the expiry of the privilege of access rights should be defined;
  5. The privilege of access rights should be assigned to a user ID different from those used for normal business activities. Regular business activities should not be carried out with a privileged ID;
  6. The competences of users with privileged access rights should be reviewed on a regular basis in order to verify that they comply with their duties;
  7. Specific procedures should be defined and maintained in order to prevent unauthorized use of generic user IDs according to system configuration capabilities,
  8. In the case of generic user IDs, the confidentiality of secret authentication information should be maintained when shared (e.g. changing passwords frequently and as soon as possible when a privileged user leaves or changes jobs, communicating them to privileged users with appropriate mechanisms).

Treat your password like your toothbrush, Don’t let anybody else use it and get a new one after every six months. -Clifford Stoll

Other Information- A significant contributor to failures and breaches of systems is the improper use of system administrator privileges (any information system function or facility that enables the user to bypass system or application control).

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A.9.2.4 Management of Secret Authentication Information of Users

Control- A structured management process should control the allocation of secret authentication information.

Implementation Guidance- Following requirements should be included in the Process:

1) Users will sign a declaration to preserve sensitive personal secret authentication details and to hold mutual (that is, shared) sensitive authentication information strictly inside the group members; this signed agreement can be included in the terms and conditions of employment;

2) When users are required to maintain their own secret authentication information, secure secret authentication information should originally be provided to them that they must change for the first time;

3) Procedures for verifying the identity of the user should be established prior to the provision of new, replacement or temporary secret authentication information;

4) Temporary secret authentication information should be given to users in a safe manner; the use of third parties or insecure (clear text) e-mail messages should be avoided;

5) The details on temporary secret authentication should be unique and not guessable to a person;

6) Users will acknowledge receipt of information on secret authentication;

7) Upon activation of systems or applications, the default vendor secret authenticationdetails should be altered.

Other Information- Passwords are a common type of information for secret authentication and are a common way to verify the user’s identity. Other types of hidden authentication information are encryption keys and data stored on hardware tokens (e.g. smart cards).

Also Read : ISO 27001 Annex : A.9.2 User Access Management

In this new era, where technology and the internet play a vital role personally and professionally there also exits an increase in the number of cyber-attacks, it’s always advisable to limit and control access privileges. For an organization, it’s really important that its information assets and accessibility to those assets should always be protected. Keeping Password is a common way of securing information or information system, other check-points may include various kinds of encryption (cryptographic, hash, etc). Annex 9.2 covers the guidelines and implementation of controls to safeguard data getting accessed by unauthorized user. Infosavvy, training institute in Mumbai provides certification for IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers various controls that should be implemented in an organization to keep it away from destructors also trainers in Infosavy are well-skilled and experienced in providing proper guidance and knowledge for keeping the Information security management system secure. This will help the applicant to develop the expertise necessary to carry out the ISMS audit by applying broadly recognized audit principles, procedures and techniques.

Questions related to this topic
  1. What is the difference between service password encryption and enable secret command?
  2. At what level number is the default enable secret password encrypted?
  3. What are the three ways to authenticate a person?
  4. What is the most secure practice when creating passwords? 
  5. Explain ISO 27001 Annex : A.9.2.3 Management of Privileged Access Rights & A.9.2.4 Management of Secret Authentication Information of Users?
  6. Explain ISO 27001 Annex : A.9.2.3 Management of Privileged Access Rights ?

ISO 27001 Requirements


Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement 

ISO 27001 Annex A Controls


Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002



This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment