Identity and Access Management

A key component of the Information Security Program are identity and access management policies.

IAM Control Domains

IAM-01: Audit Tools Access -

  • IAM-01.1: Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-01.2: Do you monitor and log privileged access (e.g., administrator level) to information security management systems?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-02: User Access Policy -

  • IAM-02.1: Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-02.2: Do you have policies, procedures and technical measures in place to ensure appropriate data/assets access management in adherence to legal, statutory or regulatory compliance requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-02.3: Do you have procedures and technical measures in place for user account entitlement de-/provisioning based on the rule of least privilege?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-02.4: Do you have procedures and technical measures in place for data access segmentation in multi-tenant system architectures?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-02.5: Do you enforce data access permissions based on the rules of Authentication, Authorization and Accountability (AAA)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-02.6: Do your policies and procedures incorporate security controls for establishing higher levels of assurance for critical business case considerations, supported by multifactor authentication?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-02.7: Do you provide metrics to track the speed with which you are able to remove systems access that is no longer required for business purposes?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-03: Diagnostic / Configuration Ports Access -

  • IAM-03.1: Is user access to diagnostic and configuration ports restricted to authorized individuals and applications?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-04: Policies and Procedures -

  • IAM-04.1: Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-04.2: Do you manage and store the user identity of all personnel who have network access, including their level of access?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-05: Segregation of Duties -

  • IAM-05.1: Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-06: Source Code Access Restriction -

  • IAM-06.1: Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-06.2: Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-07: Third Party Access -

  • IAM-07.1: Does your organization conduct third-party unauthorized access risk assessments?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-07.2: Are preventive, detective corrective compensating controls in place to mitigate impacts of unauthorized or inappropriate access?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-08: User Access Restriction / Authorization -

  • IAM-08.1: Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-08.2: Based on the rules of least privilege, do you have policies and procedures established for permissible storage and access of identities used for authentication?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-08.3: Do you limit identities' replication only to users explicitly defined as business necessary?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-09: User Access Authorization -

  • IAM-09.1: Does your management provision the authorization and restrictions for user access (e.g., employees, contractors, customers (tenants), business partners, and/or suppliers) prior to their access to data and any owned or managed (physical and virtual) applications, infrastructure systems, and network components?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-09.2: Do you provide upon the request of users with legitimate interest access (e.g., employees, contractors, customers (tenants), business partners and/or suppliers) to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-10: User Access Reviews -

  • IAM-10.1: Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege, by business leadership or other accountable business role or function?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-10.2: Do you collect evidence to demonstrate that the policy (see question IAM-10.1) has been enforced?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-10.3: Do you ensure that remediation actions for access violations follow user access policies?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-10.4: Will you share user entitlement and remediation reports with your tenants, if inappropriate access may have been allowed to tenant data?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-11: User Access Revocation -

  • IAM-11.1: Is timely deprovisioning, revocation, or modification of user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-11.2: Is any change in user access status intended to include termination of employment, contract or agreement, change of employment or transfer within the organization?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-12: User ID Credentials -

  • IAM-12.1: Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.2: Do you use open standards to delegate authentication capabilities to your tenants?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.3: Do you support identity federation standards (e.g., SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.4: Do you have a Policy Enforcement Point capability (e.g., XACML) to enforce regional legal and policy constraints on user access?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.5: Do you have an identity management system (enabling classification of data for a tenant) in place to enable both role-based and context-based entitlement to data?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.6: Do you provide tenants with strong (multifactor) authentication options (e.g., digital certs, tokens, biometrics, etc.) for user access?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.7: Do you allow tenants to use third-party identity assurance services?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.8: Do you support password (e.g., minimum length, age, history, complexity) and account lockout (e.g., lockout threshold, lockout duration) policy enforcement?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.9: Do you allow tenants/customers to define password and account lockout policies for their accounts?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.10: Do you support the ability to force password changes upon first logon?

Do you allow tenants/customers to define password and account lockout policies for their accounts?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IAM-12.11: Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?


Policy to be referenced here is INSERT
*Action item: INSERT

IAM-13: Utility Programs Access -

  • IAM-13.1: Are access to utility programs used to manage virtualized partitions (e.g. shutdown, clone, etc) appropriately restricted and monitored?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None