ISO 27701, Clause 6.6.2 – User Access Management

ISO 27701 Clause 6.6.2.1 – User Registration and Deregistration

References ISO 27002 Control 5.16

User registration is governed by the use of assigned ‘identities’. Identities provide organisations with a framework to govern user access to PII and privacy-related assets and material, within the confines of a network.

Organisation needs to follow six main guidance points, in order to ensure that identities are managed correctly, and PII is protected wherever it is stored, processed or accessed:

1. Where identities are assigned to a human being, only that person is allowed to authenticate with and/or use that identity, when accessing PII.
2. Shared identities – multiple individuals registered on the same identity – should only be deployed to satisfy an unique set of operational requirements.
3. Non-human entities should be considered and managed differently to user-based identities who access PII and privacy-related material.
4. Identities should be removed once they are no longer needed – especially those with access to PII or privacy-based roles.
5. Organisations should stick to a ‘one entity, one identity’ rule, when distributing identities across the network.
6. Registrations should be logged and recorded through clear documentation, including timestamps, access levels and identity information.

Organisations who work in partnership with external organisations (particularly cloud-based platforms) should understand the inherent risks associated with such practices, and take steps to ensure that PII is not adversely affected in the process (see ISO 27002 controls 5.19 and 5.17).

Relevant ISO 27002 Controls

• ISO 27002 5.17
• ISO 27002 5.19

Applicable GDPR Articles

• Article 5 – (1)(f)

ISO 27701 Clause 6.6.2.2 – User Access Provisioning

References ISO 27002 Control 5.18

‘Access rights’ govern how access to PII and privacy-related information is both granted and revoked, using the same set of guiding principles.

Granting and Revoking Access Rights

Access procedures should include:

• Permission and authorisation from the owner (or management) of the information or asset (see ISO 27002 control 5.9).
• Any prevailing commercial, legal or operational requirements.
• An acknowledgement of the need to segregate duties, in order to improve PII security and build a more resilient privacy protection operation.
• Controls to revoke access rights, when access is no longer required (leavers etc.).
• Times access measures for temporary personnel or contractors.
• A centralised record of access rights granted to both human and non-human entities.
• Measures to modify the access rights of any personnel or third-party contractors who have changed job roles.

Reviewing Access Rights

Organisations should conduct periodical reviews of access rights across the network, including:

• Building access right revocation into HR off boarding procedures (see ISO 27002 controls 6.1 and 6.5) and role-change workflows.
• Requests for ‘privileged’ access rights.

Change Management and Leavers

Personnel who are either leaving the organisation (either wilfully or as a terminated employee), and those who are the subject of a change request, should have their access rights amended based upon robust risk management procedures, including:

• The source of the change/termination, including the underlying reason.
• The user’s current job role and attached responsibilities.
• The information and assets that are currently accessible – including their risk levels and value to the organisation.

Supplementary Guidance

Employment contracts and contractor/service contracts should include an explanation of what happens following any attempts at unauthorised access (see ISO 27002 controls 5.20, 6.2, 6.4, 6.6).

Relevant ISO 27002 Controls

• ISO 27002 5.9
• ISO 27002 5.20
• ISO 27002 6.2
• ISO 27002 6.4
• ISO 27002 6.6

Applicable GDPR Articles

• Article 5 – (1)(f)

ISO 27701 Clause 6.6.2.3 – Management of Privileged Access Rights

References ISO 27002 Control 8.2

Privileged access rights provide organisations the ability to simultaneously control access to PII and privacy-related applications and assets, and maintain the integrity of PII across their network.

Unauthorised utilisation of system administrator privileges (or elevated RBAC permissions), is one of the major causes of ICT disruption across the globe.

When managing privileged access rights with privacy protection in mind, organisations should:

• Draft a list of users who require privileged access.
• Implement procedures that allocate privileged access rights to users on an “event by event basis” – i.e. a user being given a level of access that is in accordance with their job role.
• Operate with a clear authorisation process that deals with requests for privileged access.
• Keep a centralised record of privileged access requests.
• Observe access expiry dates, where stated.
• Ensure users are aware of any privileged access rights that have been granted to them.
• Enforce re-authenticate prior to users using privileged access rights.
• Periodically review organisation-wide privileged access rights (see ISO 27002 control 5.18).
• Consider implementing a “break glass” procedure by ensuring that privileged access rights are granted within strict windows, as dictated by the nature of the request.
• Forbid the use of generic login information and guessable passwords (see ISO 27002 control 5.17).
• Allocate one identity per user, collated into access groups if required.
• Ensure that privileged access is granted reserved for critical tasks only – such as essential maintenance or incident-related activity.

Relevant ISO 27002 Controls

• ISO 27002 5.17
• ISO 27002 5.18

ISO 27701 Clause 6.6.2.4 – Management of Secret Authentication Information of Users

References ISO 27002 Control 5.17

Authentication details should be distributed and managed so that:

• Automatically-generated authentication information (passwords etc.) are kept secret from anyone not authorised to used them, aren’t guessable and are managed in a way that forces a user to change them after initial login.
• Before issuing or replacing authentication details, procedures are put in place to verify the identity of the individual who requires them.
• The correct secure channels are used to transmit authentication details (i.e not via email).
• After the details have been successfully communicate to whomever needs them, the user(s) acknowledge receipt in a timely manner.
• Any vendor-provided authentication information (such as the default username and password routers and firewalls) is changed upon receipt.
• Records are kept of relevant authentication events – especially regarding the initial allocation and subsequent administration of authentication details.

Any personnel who uses organisational authentication information should ensure that:

• All authentication details are kept strictly confidential.
• If authentication details are either compromised, viewed or shared by anyone other than the original owner, such details are changed immediately.
• Any passwords are created and/or generated in line with the organisation’s password policy, and passwords are unique across various different platforms (i.e. domain passwords are not the same as cloud service passwords).
• Contracts of employment contain an explicit requirement to follow company password policy (see ISO 27002 control 6.2).

Password Management Systems

Organisations should consider implementing a password management system (specialised password control applications) that:

• Caters for users who need to change any password that they use.
• Is programmed to reject passwords that fall outside of best practice guidelines.
• Forces users to change their system-generated password, after they use it for the first time.
• Does not permit the continued use of old passwords, or similar phrases and alphanumeric combinations.
• Hides passwords whilst they are being inputted.
• Stores and sends password information in a secure manner.
• Caters for password encryption and similar encryption techniques (see ISO 27002 control 8.24).

To safeguard PII and improve organisational privacy protection efforts, passwords should follow four guiding principles:

1. Passwords shouldn’t be constructed around guessable or biographic information.
2. Passwords shouldn’t contain any recognisable words, in place of random alphanumeric characters.
3. Special characters should be used to increase password complexity.
4. All passwords should have a minimum length (ideally 12 characters).

Organisations should also consider the use of authentication protocols such as Single Sign-On (SSO) to improve password security, but such measures should only be considered alongside the organisations unique technical and operational requirements.

Relevant ISO 27002 Controls

• ISO 27002 6.2
• ISO 27002 8.24

ISO 27701 Clause 6.6.2.5 – Review of User Access Rights

References ISO 27002 Control 5.18

See above (ISO 27701 Clause 6.6.2.2).

ISO 27701 Clause 6.6.2.6 – Removal or Adjustment of Access Rights

References ISO 27002 Control 5.18

See above (ISO 27701 Clause 6.6.2.2).

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27002 and ISO 27701 at the click of a button.

Find out more by booking a hands on demo.