Professional Documents
Culture Documents
The Fundamentals
Demonstrating a robust ISO 27001 information
security management system with identity
governance and access management
Written by Joseph Grettenberger
2
reports. Plus, the One Identity system, and business-application
IAM solutions provide a separate user governance mandates
database of activity records while also providing foundational
“One Identity that you can use to substantiate IT security measures. One
solution enables security policy violations, such
as when providing support of
Identity IAM solutions enable
organizations to achieve such
you to mitigate personnel sanctions. governance by:
risk for your One Identity’s IAM solutions • Consolidating and unifying user
3
that control access to that data; 1. Identity Manager
and they apply user-risk rankings 2. Identity Manager - Identity Manager Data
based on data sensitivity, Data Governance Edition. Governance Edition
granted privileges and policy
violation history. Identity Manager Identity Manager – Data
Governance Edition protects
While not a replacement for Organizations need to mitigate your organization by giving
governance, risk and compliance risk by identifying sources of access control to the business
tools, when regularly used as part controlled data, securing that owners who actually know who
of an information governance data (from entitlement creep, should have access to which
program, One Identity IAM outdated user access, etc), resources. So, the people who are
solutions can help organizations meeting uptime requirements, familiar with roles and business
achieve IT governance. It can do satisfying compliance obligations needs now are empowered
this by detecting where account and increasing productivity by to grant access to sensitive
data resides and identifying high- giving users faster access to data, and analyze, approve and
risk users, and by enforcing access the data and applications they fulfill unstructured data-access
authorization, which will eliminate need to do their jobs—and requests to files, folders and
unauthorized access to sensitive nothing more. Identity Manager shares across NTFS, NAS devices
data and unauthorized system- streamlines user provisioning, de- and SharePoint. Identity Manager
configuration changes — and provisioning and access-approval – Data Governance Edition helps
thereby preventing policy violations. processes. This One Identity data owners (not IT) determine
solution enables you to mitigate who should have access and
By ensuring controlled access risk for your organization; control automates the request-and-
based on need-to-know and user and privileged access; approval workflow, keeping your
providing detailed history of govern identities; secure data; company from being the next
when authorizations to access and get more done with less. security headline while reducing
account data were granted and With it, you can be the security the burden on IT.
by whom, One Identity IAM “Risk Mitigator” that your
solutions help organizations organization needs. How One Identity IAM Solutions
control user access to enterprise map to ISO 27001 requirements
applications and unstructured Using One Identity solutions, IAM This section provides a detailed
data in their production operating can finally be driven by business mapping of the controls listed in
environments and ensure that needs, not IT capabilities. With ISO/IEC 27001:2013 Annex A to
critical access controls are Identity Manager you can the capabilities of One Identity
applied to security architectures unify security policies, meet IAM solutions. You can use this
in all phases of the system compliance needs and achieve mapping to proactively identify and
development lifecycle. governance while improving address gaps in your ISO ISMS
business agility with a modular with One Identity IAM solutions.
One Identity IAM solutions and scalable Identity and access
included in this paper are: management solution.
4
ISO/IEC 27001:2013 controls from Annex A
A.6.1.3 Contact with authorities Identity Manager and Identity Manager – Data Governance Edition
store entitlement attestations and user provisioning process logs in a
secure, encrypted vault. These features provide organizations with a
legally defensible repository of user identity traceability and privilege
assignment audit trails from which they can retrieve court-admissible
evidence using proper chain of custody controls.
A.6.1.5 Information security in With One Identity IAM solutions, organizations can address questions
project management that come from an information security risk assessment conducted at
an early stage of a project by providing controls around IT resource
access requests and approvals. For example, Identity Manager
can be used when a project begins to clean up all non-unique and
orphaned accounts while Identity Manager – Data Governance Edition
can be used to define security roles that prevent unauthorized
changes to files, folders and NTFS or NAS shares and enforce access
policies on all project users, including remote users and contractors.
A.6.2.1 Mobile device policy Identity Manager and Identity Manager – Data Governance Edition
can be used to provision custom objects such as accounts on smart
A.6.2.2 Teleworking phones, tablets and remote access VPNs. In addition, these solutions
(remote access) can manage the assignment of identities and privileges on servers
and applications that IT uses to manage mobile devices and remote
access users to ensure mobile device and VPN administrator activities
are properly authorized, traceable to specific users and conform to
the organization’s mobile device and remote access policies.
A.7.1.1 Screening
5
ISO/IEC 27001:2013 controls from Annex A
A.7.1.2 Terms and conditions Identity Manager and Identity Manager – Data Governance Edition
of employment enable you to establish and enforce access authorization to systems
that store, process or transmit legally protected and confidential
information thereby limiting access to not only those individuals whose
job requires such access, but to only those have successfully passed
a background check and have a need to know. Specifically, these
solutions are designed to:
• Define access needs across enterprise applications, NTFS, NAS
devices and SharePoint servers for each role, including file
servers and data resources that each role needs to access for
their job function
• Restrict user access to least privileges necessary to perform
job responsibilities
• Put user access administration into the hands of appropriate
authority personnel to delegate access granting privileges and
manage entitlement creep for on-going maintenance of access
restrictions
• Support policies requiring authority personnel to assign,
periodically review and attest to the legitimacy of access privileges
based on individual personnel’s job classification and function.
• Support policies requiring documented approval by authorized
parties specifying required privileges and/or approving access
requests.
• Establish access control for systems with multiple users that
restricts access based on a user’s need to know
• Ensure that access controls (e.g. rules and policies) equivalent
to default “deny all” configurations are in place for all system
components with multiple users
• Provide a full-featured model for the complete management and
review of user identities and access rights
A.7.2.1 Management Deploying Identity Manager and Identity Manager – Data Governance
responsibilities Edition provides an excellent way for management to demonstrate its
support of the organization’s information access policies and procedures
by enforcing them.
A.7.3.1 Termination or change Identity Manager is designed to manage the information security
of employment aspects of employee and contractor terminations and job
responsibilities reassignments (such as orphaned accounts) by quickly terminating
access privileges to sensitive information and reducing or removing
access to system accounts — even if a user has multiple identities from
holding different roles over many years with the organization. Identity
Manager enables you to adjust or revoke system access privileges
across your ERP system, NTFS, NAS devices and SharePoint servers
in a timely manner for workforce members who have changed roles or
have left the organization. Moreover, with Identity Manager you can
easily review and remove or disable inactive user accounts across all
these systems and monitor for orphaned accounts in accordance with
your organization’s account aging policy.
6
ISO/IEC 27001:2013 controls from Annex A
A.8.1.1 Inventory of assets Identity Manager can identify critical technology assets and
personnel (with contact information) associated with your
A.8.1.2 Ownership of assets organization’s ERP system, NTFS systems, NAS devices and
SharePoint servers. In fact, One Identity’s IAM solution provides
a number of features that can help you inventory critical
A.8.1.3 Acceptable use of assets technology assets and determine device owner information. For
example, to augment the usage restrictions that are configured
during user account setup, usage policies can be established
with rules for when and how user accounts can access system
components. Once established, reports such as the Resource
Activity Report can provide a list of all access activity on those
critical technologies, the personnel authorized to use the devices
and whether usage policies have been violated.
A.8.2.2 Labeling of information Once an information classification scheme has been adopted
and information assets have been labeled per the scheme, you
can configure the corresponding access request and approval
requirements that are based on the scheme into various
procedural workflows in Identity Manager.
A.9.1.1 Access control policy Using the fine-grained access control configuration settings for
users, groups, domains, and services, Identity Manager lets you
A.9.1.2 Access to networks and implement the rules identified in the “implementation guidance”
network services and “other information” for logical access control citied in ISO
27002:2013, sections 9.1.1 and 9.1.2. For example, Identity
Manager lets you implement segregation of access control roles,
formal authorization of access requests, and mandatory periodic
reviews of access rights (attestations) within an Identity Manager
network. Likewise, Identity Manager – Data Governance
Edition can enforce every logical access rule identified in the
“implementation guidance” and “other information” sections
of ISO 27002:2013, sections 9.1.1 and 9.1.2 within an Identity
Manager network.
7
ISO/IEC 27001:2013 controls from Annex A
A.9.2.1 User registration and de- Identity Manager and Identity Manager – Data Governance
registration Edition provide organizations with a ready-made framework
designed to inherit and/or set up, manage and support:
A.9.2.2 User access provisioning • User authentication information
• A formal user registration and de-registration process to
A.9.2.3 Management of privileged enable assignment of access rights
access rights
• A formal user access provisioning process to assign or revoke
access rights for all user types to all systems and services
A.9.2.4 Management of secret
authentication information • A full-featured model for the complete management and
review of access rights
of users
Identity Manager and Identity Manager – Data Governance
A.9.2.5 Review of user access rights Edition enable organizations to implement access authorization,
access rights review and access revocation policies for granting
and maintaining least-privilege access to sensitive data across a
A.9.2.6 Removal or adjustment of
variety of platforms. Features include the assignment of unique
access rights
user IDs; the means to review and adjust or revoke system
access privileges across ERP, NTFS, NAS devices and SharePoint
servers in a timely manner for users who have changed roles
or have left the organization; and the assured elimination of
redundant user IDs across multiple platforms through a secure,
centralized repository for user credentials,
A.9.3.1 Use of secret authentication Identity Manager uses various native authentication modules
information but can also be configured to specify whether the authentication
module used with the product (AD, LDAP, local system user
or other) uses dynamic or role based secret authentication
information (including a single-sign-on option that eliminates
the need to remember passwords or record them in an unsecure
manner). In addition, Identity Manager supports policies for
secure initial password distribution, password renewal, password
complexity and password change frequency.
A.9.4.1 Information access restriction Identity Manager restricts access to sensitive information
by associating users with permissions groups and through
group permission inheritance in AD, SharePoint, and SAP
groups. Identity Manager – Data Governance Edition restricts
access to sensitive information per your organization’s access
control policy. Specifically, these solutions enable you to avoid
unchecked privileged access and entitlement creep by ensuring
authorized personnel carefully review and attest to the validity
of user access permissions and grant access to privileged
information via an access request/approval workflow.
8
ISO/IEC 27001:2013 controls from Annex A
A.9.4.2 Secure log-on procedures Identity Manager and Identity Manager – Data Governance Edition
support the secure log-on procedures included with the authentication
module selected when setting up or reconfiguring the product (AD,
LDAP, local system user or other). Virtually all of these options
address most or all of the secure logon procedure requirements of
ISO 27002 section 9.4.2, i.e. logon screens and associated logic 1)
do not display application or platform software identifiers, 2) have
a warning message that only authorized users should access the
system, 3) do not provide help that would aid an unauthorized user,
4) do not tell a user which part of a failed logon attempt is incorrect,
5) protect against brute force attempts, 6) log unsuccessful login
attempts, 7) raise a security event for failed or successful logon
breaches, 8) display details of last successful log-on and unsuccessful
logon attempts, 9) obfuscate passwords being entered, 10) render
passwords sent over a network unreadable, 11) terminate logon
sessions after defined period of inactivity, and 12) restrict connection
times for higher risk applications to predefined limits.
A.9.4.3 Password management Identity Manager allows logged-in users to change their passwords
system as defined by ISO 27002 section 9.4.3.
A.9.4.4 Use of privileged utility Identity Manager and Identity Manager – Data Governance Edition do
programs not permit privileged utility programs to circumvent their own access
controls or any of the systems and applications compatible with them.
A.9.4.5 Access control to program Beyond the logical divisions in Active Directory that normally
source code prevent unauthorized users from accessing program source code
and associated items, Identity Manager and Identity Manager –
Data Governance Edition can be used to ensure all unauthorized
groups (helpdesk or support personnel, for example), do not have
access to program source libraries and that developers do not
have access that would allow them to make changes in the live
operating environment.
A.11.2.6 Security of equipment and A risk assessment should be performed when evaluating controls
assets off premises needed because of additional risks introduced by remote users.
Part of the assessment should include remote user access
authorization. Identity Manager and Identity Manager – Data
Governance Edition provide calculated risk values for higher risk
users and help assessors of remote user risk review key areas of
information security such as whether or not:
• Network and server access is based on more stringent
authorization policies for remote users,
• AD roles for remote users have been established on the
principle of “least privilege”
• Additional approvals are required for AD role and group access
requests originating from remote users,
• Entitlements granted to remote users are valid / have been
recently validated
• Network access privileges of terminated workforce members
with remote access are revoked in a timely manner
9
ISO/IEC 27001:2013 controls from Annex A
A.12.1.1 Documented operating By setting up groups and access policies that permit only
procedures authorized persons to access the sensitive output of automated
procedures, Identity Manager and Identity Manager – Data
Governance Edition can help you support a variety of documented
routine operating procedures. For example, by providing both
access authorization and access restriction models that limit
who can see the daily results of routine backup procedures,
batch jobs, audit trails and system log files, policy violations
and high-risk exposure changes (e.g. changes to the list of high-
risk users), these solutions can play a foundational role in the
larger task of controlling the modification and maintenance of
operational activities associated with information processing and
communication facilities.
A.12.1.3 Capacity management Regarding the capacity management of human resources, Identity
Manager and Identity Manager – Data Governance Edition are
well-suited to address the extraordinary user provisioning and
de-provisioning needs of organizations going through a merger or
acquisition or those that have user populations that are seasonal
or which fluctuate throughout the year.
A.12.1.4 Separation of development, With Identity Manager and Identity Manager – Data Governance
testing and operational Edition, you can implement and enforce the access governance
environments controls necessary for maintaining the integrity of separate
operational, testing, and development environments. For example,
these solutions can ensure implementation of a policy that requires
users to not have access to more than one of these environments
or a policy where users with access to the operational environment
and the test environment are required to have different user
profiles for security purposes.
A.12.2.1 Controls against malware Identity Manager and Identity Manager – Data Governance Edition
area designed to protect against session hijacking code and other
malware that may be used in your network.
A.12.3.1 Information backup Identity Manager and Identity Manager – Data Governance Edition
can be used to ensure (through access policies, mandatory access
requests, approval workflows, and periodic attestations) that only
authorized persons are able to access backup files and manage
backup procedures (scheduled and unscheduled).
10
ISO/IEC 27001:2013 controls from Annex A
A.12.4.1 Event logging Identity Manager and Identity Manager – Data Governance Edition
both provide a number of logging and monitoring capabilities. For
A.12.4.2 Protection of log information example, Identity Manager can be configured to alert appropriate
personnel via email or text message for any specified number of
repeated failed logins. The solution can also be used in a review
A.12.4.3 Administrator and capacity that supports monitoring of login attempts. Both Identity
operator logs Manager and Identity Manager – Data Governance Edition enable
you to limit viewing access of system logs to only those individuals
whose job requires such access and have a job-related need.
A.12.7.1 Information systems audit Identity Manager and Identity Manager – Data Governance
controls Edition offer many evidences (granted permissions, logs, reports,
configuration settings, security rule violations) that indicate the
extent the organization has met identity and access management
audit controls. Identity Manager – Data Governance Edition can
also be used to assign a risk value to every company resource
identified in Identity Manager. A risk index is then calculated for
every user assigned to a risk-rated resource. Security rules too
can be assigned a risk value for audit purposes so that a user’s
rule violations affects his or her risk index. A user’s risk index can
be further refined through various attributes including a user’s
assigned roles and responsibilities. This provides audit teams with
the ability to focus on higher risk areas that can be audited by user
and by system.
11
ISO/IEC 27001:2013 controls from Annex A
A.13.1.1 Network controls Identity Manager and Identity Manager – Data Governance Edition
enable organizations to implement access authorization and
access revocation policies for granting and maintaining access
rights across ERP, NTFS, NAS devices and SharePoint servers.
A.13.1.2 Security of network services To manage the risk of unnecessary network access by service
providers, Identity Manager and Identity Manager – Data
Governance Edition can enable authorized administrators to restrict
access to only the applications they need for support purposes
when necessary and with appropriate approval.
A.13.1.3 Segregation in networks Identity Manager and Identity Manager – Data Governance Edition
can help organizations demonstrate compliance with access
control policies that keep services, users, and systems segregated
in networks, whether domains are based on trust levels, along
organizational units or some combination of the two.
A.14.1.1 Information security Sensitive information can be found in many places within an
requirements analysis and organization’s network, not just in its core business applications,
specification so all systems and networks containing or accessing sensitive
information must be designed and configured with security in mind
and reviewed periodically for risk. Whether you are designing a
new environment or enhancing an existing one, One Identity IAM
solutions can meet most regulatory and policy-driven requirements
for user rights management and address virtually all security-
related implementation issues related to the user life-cycle (e.g.
ensuring unique user IDs; requiring and defining access request
procedures, department or organizational roles, the granting of
permissions including elevated privileges, and manager delegation
of responsibilities; establish user rules; assigning user risk rankings
and verifying sufficiently secure password management settings).
12
ISO/IEC 27001:2013 controls from Annex A
A.14.1.2 Securing application services Organizations that allow purchases, payments and other
on public networks transactions over public networks should issue a policy that
defines the conditions and restrictions for using the applications
A.14.1.3 Protecting application that provide such services. Identity Manager and Identity
Manager – Data Governance Edition provide web access
services transactions
management features that permit access policy creation and
enforcement to help secure application services on public
networks (e.g., ensure an authorization process is implemented
for access to an application that provide electronic signatures).
Because sending sensitive data over public networks increases
risk, strong access and electronic communications controls are
needed to prevent unauthorized access to application services
that may compromise the integrity of cloud-based, extranet
and internet transactions, including e-commerce, business-to-
business (B2B) and other web-based transactions.
Identity Manager and Identity Manager – Data Governance
Edition support multi-factor authentication and encrypted
communication solutions (using SSH and digital certificates)
to help organizations ensure secure communications for
authorized transactions and prevent unauthorized access to
restricted application services transactions.
A risk assessment should be performed when evaluating
controls needed to secure application services on public
networks and protect the transactions performed over these
networks. Part of the assessment should include user access
authorization. Identity Manager and Identity Manager – Data
Governance Edition provide calculated risk values for higher risk
users, such as those accessing secure applications over public
networks to perform sensitive transactions. Using One Identity
One solutions, assessors of such user risks can review key
areas of information security such as whether or not:
• Network and server access for public networks is based on
more stringent authorization policies,
• Additional approvals are required for public network access
requests,
• Entitlements granted to such users are valid / have been
recently validated
• Network access privileges of terminated workforce members
that have performed sensitive transactions over public
networks are revoked in a timely manner
13
ISO/IEC 27001:2013 controls from Annex A
A.14.3.1 Protection of test data For test environments containing sensitive operational data,
Identity Manager and Identity Manager – Data Governance Edition
can ensure that:
• The access request procedures that apply to operational
application systems also apply to test application systems.
• Special authorization is obtained before accessing test
environments containing sensitive data copied from an
operational environment.
• Conflicting entitlements are prevented through enforced policy
(e.g., users with access authorization to test environments
do not have access authorization to environments containing
operational data.)
14
ISO/IEC 27001:2013 controls from Annex A
A.17.1.2 Implementing information Business continuity often requires granting privileged access
security continuity to key personnel during a disruptive event. To ensure security
in these situations, organizations can use Identity Manager and
A.17.1.3 Verify, review and evaluate Identity Manager – Data Governance Edition to:
information security • Ensure compliance with procedures designed to preserve the
continuity integrity of privileged access controls during a disruptive event
• Test information security continuity procedures and
authorization controls to ensure that they are consistent with
the information security continuity objectives
A.18.1.3 Protection of records Access authorization history records stored within Identity
Manager and Identity Manager – Data Governance Edition can be
encrypted with strong AES 256 full disk encryption. You can use
appropriate records management controls to securely archive
these records of access authorization for a variety of purposes,
including forensic analysis, provided you use a proper chain of
custody controls, court evidence.
A.18.2.1 Independent review of Identity Manager and Identity Manager – Data Governance Edition
information security can facilitate the implementation and enforcement of temporary
access authorization policies that enable authorized personnel to:
A.18.2.2 Compliance with security • Grant temporary, limited, read-only access to independent
policies and standards reviewers of security information
• Ensure compliance with access authorization requirements
A.18.2.3 Technical compliance review from policies, standards and applicable regulations
• Provide temporary authorization to support compliance reviews
of privileged access, including break/fix changes to production
15
Conclusion
business data owners to manage 9 years of technology auditing
The identity governance and their own team’s roles and experience both in the public and
access controls included in most risks associated with access to private sectors. Having started
enterprise applications provide sensitive systems and account his own consulting practice in
just a portion of the security you data within the wider business 2008, Grettenberger is certified
need to achieve, maintain and data environment. Thus, as an information systems
demonstrate a robust information responsibility for identity and auditor (CISA) and compliance
security management system access governance is optimally and ethics professional (CCEP).
(ISMS) based on ISO/IEC 27001 distributed reducing complexity He has served clients for over 8
Identity and Access Management effectively and efficiently. years as an IT governance and
(IAM) controls listed in its “Annex While not a replacement for risk management consultant
A” and further explained in ISO/ governance, risk and compliance covering a wide range of IT
IEC 27002. To affirmatively tools, when regularly used as part assurance issues within the
answer the identity and access of an information governance regulatory, legal, and industry
management questions that program, these solutions can help compliance space. Grettenberger
will come up in an ISO 27001 organizations identify high-risk has held IT audit, assurance and
security risk assessment, you resources, identify high-risk users, advisory positions at a number of
need to manage of all of the manage those risks and greatly organizations including Modern
identities, roles, entitlements reduce a host of unauthorized Compliance Solutions, Quest
and risks associated with users access and transaction processing Software, Vintela, Center 7,
that have access to sensitive scenarios, thereby preventing Franklin Covey and SAIC. He
operational data throughout your policy violations. was a recent participant in
organization (or ISMS scope) the Internet Security Alliance
— including all backup systems, For more information, please visit initiative to promote cross-
support systems and underlying http://oneidentity.com/ industry IT security standards
platforms that access, store, solutions/identity- and has also participated in
protect or transmit such data. governance/ several other standard-setting
best practice initiatives such
Identity Manager and Identity as serving on the SunTone
About the Author
Manager – Data Governance Architecture Council and chairing
Edition enable IT personnel Joe Grettenberger, CISA, CCEP the MSP Association’s Best
to unify user identities across has over 25 years’ experience as Practice Committee.
the enterprise, while enabling an IT Assurance professional with
16
For More Information AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY
© 2017 Quest Software Inc. WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED
ALL RIGHTS RESERVED. OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
This guide contains proprietary information protected WARRANTY OF MERCHANTABILITY, FITNESS FOR A
by copyright. The software described in this guide is PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN
furnished under a software license or nondisclosure NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR
agreement. This software may be used or copied only in ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE,
accordance with the terms of the applicable agreement. SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,
No part of this guide may be reproduced or transmitted WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
in any form or by any means, electronic or mechanical, BUSINESS INTERRUPTION OR LOSS OF INFORMATION)
including photocopying and recording for any purpose ARISING OUT OF THE USE OR INABILITY TO USE THIS
other than the purchaser’s personal use without the DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN
written permission of Quest Software Inc. ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Quest Software makes no representations or warranties
The information in this document is provided in with respect to the accuracy or completeness of the
connection with Quest Software products. No license, contents of this document and reserves the right to
express or implied, by estoppel or otherwise, to any make changes to specifications and product descriptions
intellectual property right is granted by this document or at any time without notice. Quest Software does not
in connection with the sale of Quest Software products. make any commitment to update the information
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS contained in this document.