IAM: Identity & Access Management

Access to, and use of, audit tools that interact with the organization’s information systems shall be appropriately segregated and access restricted to prevent inappropriate disclosure and tampering of log data.

User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes,…

User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications.

Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control access to network resources based on user identity.

User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest.

Access to the organization’s own developed applications, program, or object source code, or any other form of intellectual property (IP), and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures.

The identification, assessment, and prioritization of risks posed by business processes requiring third-party access to the organization’s information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning…

Policies and procedures are established for permissible storage and access of identities used for authentication to ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary.

Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer…

User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization’s business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies…

Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user’s change in status (e.g., termination of employment or other business relationship, job change, or transfer). Upon request, provider shall…

Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures: Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) Account credential lifecycle management from instantiation through revocation Account credential…

Utility programs capable of potentially overriding system, object, network, virtual machine, and application controls shall be restricted.