Authorization is the process of controlling access to system resources. Access should be granted based on individual userids and group memberships. Therefore, userids must be carefully assigned based on the principles of Least Privilege, Individual Accountability and Separation of Duties .
User access to system objects (files, processes and devices) should be granted based on job function, mediated by the principles of Least Privilege and Separation of Duties.
This section outlines how to secure a system using the principles of Least Privilege, Separation of Duties and Individual Accountability.
BP-POLICY-USER-01 Userid assignment must be based on the principles of Least Privilege and Separation of Duties.
Least Privilege Least Privilege dictates that each user has access only to the resources required to perform their job and nothing more.
For example, operators are generally responsible for running the backup program, for managing the batch system and keeping various system devices, such as printers and communication lines, functioning. Individuals performing operations tasks should be assigned userids in the Operations administrative group.
Separation of Duties Separation of duties dictates that job duties and responsibilities be divided among people or functional groups to a point where collusion is necessary for fraud to occur.
For example, operators should be able to 'bounce' communication lines, but not add new communication lines. Users who generate credit card account numbers should not be responsible for creating PINs for those accounts.
The Corporate Security Standard should dictate which user groups have what access to each type of resource. Users should be granted access to only those programs and files necessary to perform their job. Application users are generally authenticated and regulated by the application itself.
| Some Common Task- related User Groups | ||||||||
|---|---|---|---|---|---|---|---|---|
| Systems Mgt. | OPS Mgt | Change Control | Help Desk | App Support | App Data Owner | App Exec ID | Security | |
| Production Data files | R(W) | RWPC | RW | |||||
| Production Object Files | RWP | R | E | |||||
| Production Log Files | R | R | R | R | R | R | RWP | |
| Security Utilities and Files | R(E) | (RE) | RWEP | |||||
| Safeguard and 3 RD party Audit Files | R | (R) | R | |||||
| Op Sys Utilities | RWE | E | E | E | E | E | ||
( ) = access granted via the application, 3 rd Party Access Control products or customer-written utilities which provide only limited, audited access to sensitive data or utilities.