CIS CSC #14 – Controlled Access Based on the Need to Know

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

This control includes nine (9) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 control and four (4) IG2 controls. This means that, at a minimum, we want to:

  • Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.

If you have been reading along this series of blog posts, you’ll appreciate the work you put into implementing CIS CSC #13 by minimizing the sensitive data storage. Now that data storage has been minimized, we can start to really lock down the amount of access our users are granted to said data. This control is looking to grant the user the bare minimum access rights required to fulfill their responsibilities, and nothing more. There are several approaches you can take here by addressing both physical and logical access to data stores.

Physical access may be easier to address, especially when you consider more and more companies are outsourcing data center functions to a third party. A step you can take to mitigate the risk of that third party failing to physically secure the data center would be encrypting all sensitive data using encryption keys you control.

Ideally you have a semi-automated process to manage access rights by role, but you may be starting from scratch. A basic implementation is as simple as a spreadsheet listing out the different access rights needed for each role. You should periodically review the production access to ensure there are no unexpected deviations. To make sure this control stays “in-place” you’ll need a formal process for granting and revoking access rights, which will involve proper notification from HR or department heads so that access rights modifications can be made timely.

Relevant News Stories

Relevant Tools

CommercialOpen-Source & “Freemium”
Cisco Prime Access RegistrarAccessEnum (Sysinternals)
Network Configuration Manager (Solarwinds)ShareEnum (Sysinternals)
Tripwire EnterpriseVeracrypt
System Center and Active Directory
PowerShell – Get-ACL
Identity IQ (SailPoint)
RSA Identity Governance and Lifecycle
Access Assurance Suite (Core Security)
OneLogin Online SSO
Okta Online SSO

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #14 page here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s