January 27, 2014

2.2.4 User rights and permissions reviews

User rights and permissions reviews

A privilege is a property of an agent, such as a user while a permission is a property of an object, such as a file. A privilege lets the agent do things that are not ordinarily allowed while permission says which agents are permitted to use the object, and what they are permitted to do (e.g. read it, modify it).

A privilege is an ability or activity that a user account is granted permission to perform.
Privileges or rights are something you are allowed to do based on who you are. One or more privileges are bundled together to form a role. A role is a predefined set of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task.
A privilege is a permission to perform an action.

Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.

Users are assigned privileges based on their roles or work activities. The principle of least privilege states that people or processes should have the lowest level of user rights necessary to perform a task and they should retain those privileges for the shortest necessary period.

Privilege escalation is the malicious acquisition or exercise of higher privilege levels than was intended for the user or application. Privilege escalation is a security violation and is enabled by a flaw in the policy, configuration, service or application and can occur when administrators fail to audit assigned privileges.

Administrators and security personnel should audit overall organizational policies and procedures as well as the assignment and use of privileges by individual users and groups. “Knowing what users are doing and how often they do it may assist administrators in assigning and managing privileges.”††

Auditing is the process of ensuring that an organization’s security policies are implemented effectively and consistently and where they are not, corrective measures can be taken. For audits to be effective, they require the cooperation of various departments in the organization. For example the human resources department should proactively inform the information security department when employees leave the organization or they change jobs or roles.

User, group and role management involves understanding the rights, privileges and users required to complete specific work tasks and monitoring these over time to ensure that the right users maintain the right privileges for their specific roles. As users change roles, or leave the organization, their privileges and permissions must be adjusted promptly.

For audits to be effective, they should be done periodically and should cover areas such as:
  • Privileges – to ensure that accounts and roles are assigned and followed appropriately
  • Escalation – ensure that the process of gaining privileges is not compromised
  • Usage – ensure that system resources are used commensurate with the organization’s policies
  • Administration – involves documenting policies and procedures, tracking assets and responsibilities and managing event log files.
The output of an audit should include an outline of the findings listing and explaining any violations and should make recommendations for improvement.

User education is an important component to effective user and privilege management. Users should be familiar both with the security policy and the resulting risk to the organization if the policy is not implemented effectively.
References:

No comments:

Post a Comment