Some of the important access control issues related to compliance that should be of interest to Windows administrators are: specific regulatory requirements, industry standards, due diligence and e-discovery.
Windows administrators must ensure that access controls are established and maintained, in addition to knowing data access capabilities, to support compliance with each of these issues and to protect their IT budgets and their job security.
Specific regulatory requirements -- What regulatory requirements does your organization have? There are many possibilities. Table 1 lists a few of these access control requirements for some of the most widely applicable laws and regulations. Discuss these with your legal counsel, information security officer or privacy officer. Noncompliance with these laws and regulations could result in fines and penalties that take funds from your IT budget.
Table 1: Regulatory access control requirements
|Law or regulation||Access control requirements|
|Health Insurance Portability and Accountability Act||Access to protected health information must be given only to individuals with a business need to access it in order to fulfill business responsibilities.|
|Gramm-Leach-Bliley Act||This law requires organizations to implement safeguards to protect against|
|unauthorized access to or use of customer records and information.|
|Sarbanes-Oxley Act||Adequate internal access controls to financial information must exist.|
|Family Educational Rights and Privacy Act||Schools must limit access to information within each student's education record.|
|Federal Information Security Management Act.||Based on risk assessment, this law requires organizations to provide information security protection against unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems.|
Information security standards -- There is a growing trend within different industries to require applicable organizations to follow specific information security standards. Two examples are the Payment Card Industry Data Security Standard, or PCI DSS, for organizations that process credit card payments; and the Common Criteria for software and hardware systems used by the U.S. government. In addition, growing numbers of organizations are requiring their business partners and outsourced vendors to have Information Security Management System ISO 27001-certified systems built around ISO 27002 standards.
Table 2 lists a few of these standards requirements. Have a talk with your information security officer about these standards to make sure they are all being followed. If your company loses the ability to process credit cards or loses a government contract because these standards aren't in place, it could have a negative impact not only on your IT budget but also on your job.
Table 2: Standards access control requirements
|Standard||Access control requirements|
|PCI DSS||"Requirement 7: Restrict access to cardholder data by business need-to-know."
"Requirement 8: Assign a unique ID to each person with computer access."
|Common Criteria for Information Technology Security Evaluation||The access controls for the target of evaluation must be based upon the identified security attributes.|
|ISO 27002||"Access to both internal and external networked services should be controlled. User access to
networks and network services should not compromise the security of the network services by
a) appropriate interfaces are in place between the organization's network and networks owned by other organizations, and public networks;
b) appropriate authentication mechanisms are applied for users and equipment;
c) control of user access to information services is enforced."
Due diligence -- All organizations must follow due diligence procedures to follow their own policies. Organizations may be found guilty of unfair or deceptive acts or practices if they do not have information security in place to support their policies.
Due diligence applies not only to your own organization but also to your business partners to ensure that they have proper security practices. The Federal Trade Commission has brought many charges against organizations that violate Section 5 of the FTC Act, which prohibits unfair or deceptive practices. Table 3 lists a few of these due diligence requirements that resulted from established policies and contracts. Make sure your information security officer and you are on the same page when it comes to due diligence. If an incident occurs as a result of not following policies, the investigator will likely ask the IT department why you were not in compliance. Do you really want to be on the other end of that conversation?
Table 3: Due care access control considerations
|If your policy says…||Then in Windows you must…|
|No user accounts may be shared.||Configure Windows servers to disallow simultaneous use of more than one user account session.|
|Only computers configured to corporate standards may access the network.||For Windows Server 2008, users on noncompliant NAP client computers must be denied access through using "enforcement mode."|
|Only corporate-approved products may be used for remote access to the network.||Configure Windows servers to allow remote access only from computers that are compliant NAP clients.|
|All vendor network accounts must be monitored.||Configure Windows servers to create audit logs for all vendor network account IDs.|
E-discovery -- Business leaders are becoming increasingly concerned with e-discovery rules, which generally provide the requirements for using computer technology and electronic information during the discovery phase in lawsuits. Every organization doing business in the U.S. must comply with the e-discovery rules.
Table 4 lists a few of these e-discovery requirements that Window administrators must know. The IT area will be expected to quickly find specific data items from all locations where it is stored when litigation occurs. It could be a career-limiting – or even career-ending -- moment if you cannot. Having controls and documented procedures in place to retrieve data quickly is a good thing for your business and for your job security.
Table 4: E-discovery access control considerations
|E-discovery needs||Access control issues|
|Reasonable data accessibility||Follow procedures to determine whether the data is relevant or not reasonably accessible in a relatively short period of time.|
|Providing data to an opposing party||Establish a procedure to provide requested data without giving the opposing party access to your network and computer systems if at all possible. Doing so could result in unauthorized access to confidential data, inadvertent loss or modification of data or other negative impacts|
|Documenting inaccessible data||Document inactive and inaccessible data and corresponding storage locations related to the case, such as backup media, off-site storage and archives, deleted and residual data, and legacy data and any legacy systems that must be used but are no longer supported.|
Unify access control requirements -- The best way to implement access control requirements to meet these many diverse issues is to establish access control settings to the common requirements that exist across all of the issues. Table 5 gives you just a few of the many common areas required by laws, regulations, standards and best practice policies.
Table 5: Windows access control considerations
|Windows||Access control requirements|
|User IDs||Allow only one concurrent session at a time.|
|Audit directory service||Log successful and failed access attempts to the audit directory service.|
|Audit object||Log successful and failed access attempts to audit objects that contain sensitive information.|
|Applications||Allow only user accounts, applications and systems resources with a business need to access sensitive information.|
|Mission-critical files and databases||Allow only user accounts, applications and systems resources with a business need to access specific classifications of data.|
The bottom-line common denominator for all types of compliance requirements is that you must give user accounts the minimum access necessary for them to successfully fulfill their job responsibilities.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of
experience in IT, information security, privacy and compliance. She is owner and principal of
Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in
Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in April 2008