The access control policy sets out how user access to the systems and data are restricted and managed.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
The Access Control Policy supports several of the 24 information security requirements. The core principle underpinning this policy is that access to any systems containing sensitive data or functions should be;
- Restricted to authorised and appropriate people;
- The level of access should be the minimum level required; and
- The access should be monitored and managed with consideration of the associated risk in the systems and their sensitivity or significance.
The first step in defining an access control policy should be identifying the relevant systems used, and either a risk level of each (H, M, L) or just a list of which systems need to be restricted. The purpose of this is to inform the scope of access control practices. The nature of practices applied may vary for different systems based on the level of risk.
Then the access control policy should consider the following areas for how access is controlled.
Authentication
All user access should be authenticated to an individual user. This enables traceability and accountability. There should be password protections, and ideally multi-factor authentication for enhanced security. For the CDR Accreditation, strong password requirements, unique user access, and multi-factor authentication are required for all systems in the scope of the CDR Environment. SOC 1/2 and ISO 27001 are a bit more flexible and forgiving for systems that don’t have all of these applied, but still require a formally defined and applied approach to authentication.
Role-Based Access Control
Designing access privileges that align to user roles, helps ensure the access provided is appropriate. More complex systems may have more access privileges, which can cause confusion and raises the importance of defined access based on role. This can also apply segregation of duties by default, where the setup of access for each role is designed to prevent incompatible user access roles.
Segregation of Duties
Incompatible duties should be segregated to reduce the risk of fraud or error. If the same person can perform two tasks; eg. develop and release changes to production, or approve any of their own actions, they may bypass or undermine the established process requirements.
Access Provisioning and De-Provisioning
Access provisioning in a SaaS context has two types of users; external and internal.
External users
External users include customers, third parties, and others that aren’t part of your company. There are broadly two models for how this access is managed; (1) Your company is responsible for all access provisioning and de-provisioning, and (2) that responsibility is passed on to external administrators.
In the first case there needs to be a method of determining what access changes are appropriate; including who is authorised to request/approve new users, when users need to be removed, and when other access changes are required. In either case, it’s important to articulate the responsibilities of those external entities. This is often done through terms of service, contracts, or signing an acceptable use policy before accessing the systems. It may also be covered in the onboarding process and referenced in user guides.
Internal users
Internal users are your employees, contractors, and any other users you’re directly responsible for. There are three key parts to access provisioning;
- New/modified access should have a formal process to ensure access granted is appropriate. In larger organisations there may be multiple roles for this; a requestor, line manager approver, compliance or system owner approver, and an administrator who completes the setup or modification. In smaller organisations it may be simpler with a small number of administrators and defined role-based access, so the approvals and provisioning can be done by a single person while meeting the same objective. That is, ensuring only the appropriate access is granted based on least privilege and role requirements.
- Terminated access should be completed in a timely manner when the internal user is terminated or the access is no longer required. This should be a simple process, but is prone to failure in practice where not all access is identified and removed, communication breakdowns occur, or there’s no established process to effectively handle the termination. An off-boarding checklist is a common approach, with a list of systems that may require removal and verification that each has been removed (as well as their laptop, access pass returned, etc.).
- Periodic user access reviews are the “catch-all” check that the above practices are effective. Access control is prone to error and oversights, so this is an important check. It includes reviewing the access to each sensitive system, and particularly administrator access, to ensure all access at that point in time is appropriate. This can identify if access was provisioned incorrectly, not removed effectively, or ongoing changes over time need to be updated in the access rights. In a large organisation, these reviews may require multiple reviewers to sign off their users. Smaller organisations can have a single system owner or administrator with the knowledge and authority to confirm all user's access.
- Administration access should be restricted to the smallest number of personnel possible while retaining backup roles for continuity of those functions. There are two strategies that can be used for this; (1) the simplest is to limit access to 2-5 authorised administrators with permanent access, or (2) having a temporary access process. In either case, the access should be individually assigned or traceable to an individual and with access logging for accountability of actions performed.
Access Logging and Monitoring
Administrative access in particular should be logged and monitored. This is important both for the accountability of your administrators, but also for identifying security breaches by external actors. Monitoring can be performed by automated alerts and periodic reviews of the logs. The alerts may identify fewer areas of concern. They only apply when certain criteria are met, such as changes to the infrastructure configurations. Reviewing the logs may identify further indicators of suspicious activity. It's best to use a combination of automated alerts and manual reviews, as the volume of logs and manual nature of reviews may mean slower identification and things being missed.
Network monitoring should also be performed to identify any suspicious access attempts or behaviour on the network. There are various software solutions to support this practice, some that come “out of the box” with cloud infrastructure like AWS Guard Duty and Google Cloud Monitoring. Similar to administrator logs, you can use automated alerts and/or manual reviews of the logs. A combination of both is best.
Aside from those content areas, all policies should include version control, documented roles and responsibilities related to the policy, and any exemptions or processes for handling variances. Read our Best Practices Policies post for further detail on those generic areas.
Consumer Data Right & SOC 2
The requirements for the CDR accreditation are more prescriptive than SOC 2. However, both require most of the practices noted above. SOC 2 reports don’t always include administrator access logging, log review controls, and multi-factor authentication (strong passwords may be sufficient). The CDR doesn’t always look at external access control as it includes B2C products where users sign up and manage their own access directly.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.