IAM: Identity & Access Management

Controls

IAM-02: Strong Password Policy and Procedures

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

IAM-06: User Access Provisioning

Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets.

IAM-07: User Access Changes and Revocation

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

IAM-08: User Access Review

Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.

IAM-09: Segregation of Privileged Access Roles

Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated.

IAM-10: Management of Privileged Access Roles

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

IAM-11: CSCs Approval for Agreed Privileged Access Roles

Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles.

IAM-12: Safeguard Logs Integrity

Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.

IAM-13: Uniquely Identifiable Users

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.

IAM-14: Strong Authentication

Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.

IAM-15: Passwords Management

Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.

IAM-16: Authorization Mechanisms

Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.