Security and Privacy Controls for Federal Information Systems - Essay Example

3.1 Access control Access control is a security control family that consists of security controls denoted by the identifier AC and range from AC-1 to AC-22. This control family falls under the technical class due to its characteristics. Access control policy and procedures (AC-1) is a control that is intended to produce the policy and procedures required in order to effectively implement the selected controls and control enhancements in the access control family. 3.1.2 Security control baseline AC-1: Access control policy and procedures P1 LOW AC-1 MOD AC-1 HIGH AC-1 3.2.3 Implementation status AC-1: Access control policy and procedures is assigned priority code P1 meaning that it is sequenced first hence the implementation is fully controlled. NIST SP 800-53 (2010) Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b.Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls NIST SP 800-53 (2010) Control Enhancements: None NIST SP 800-53A (2010) Control Expected Results: Determine if: (i) the organization develops and formally documents access control policy; (ii) the organization access control policy addresses: -purpose; -scope; -roles and responsibilities; -management commitment; -coordination among organizational entities; and -compliance; (iii) the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities; (iv) the organization develops and formally documents access control procedures; (v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; and (vi) the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities 2.3.2 Implementation of Access control a) Internal Revenue Service (IRS) developed a documented access control policy that addressed the purpose, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to all rules and regulations. b) We also developed and documented procedures to facilitate the implementation of the access control policy and associated access controls including risk management. c) These procedures and rules will be reviewed and updated at a specified period of time. 3.2.1 Account management Account management is a control within the Access control family. It is denoted by identifier AC-2: This control enables the organization to manage information systems accounts including identifying account types, establishing conditions or membership, identifying authorized users of the information system and specifying user privileges. 3.2.2 Baseline and Implementation status P1 LOW AC-2 MOD AC-2(1)(2)(3)(4) HIGH AC-2(1)(2)(3)(4) Implementation status This control is assigned priority code P1 meaning that it is sequenced first hence the implementation is fully controlled. NIST SP 800-53 (2010) Control: The organization manages information system accounts, including: a. Identifying account types (examples: individual, group, system, application, guest and temporary); b. Establishing conditions for group membership; c. Identifying authorized users of the information system and specifying access privileges; d. Requiring appropriate approvals for requests to establish accounts; e. Establishing, activating, modifying, disabling, and removing accounts; f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to­ know/need-to-share changes; h. Deactivating temporary accounts that are no longer required and accounts of terminated or transferred users; i. Granting access to the system based on: (i) a valid access authorization (ii) Intended system usage; and (iii) Other attributes as required by the organization accounts [Assignment: organization-defined frequency]. NIST SP 800-53 (2010) Control Enhancements: None NIST SP 800-53A (2010) Control Expected Results: Determine if: The organization manages information system accounts by: i. Identifying account types such as: -individual, -group, -system -application - guest and - temporary ii. Establishing conditions for group membership iii. Identifying authorized users of the information system and specifying access privileges iv. Requiring appropriate approvals for requests to establish accounts v. Establishing, activating, modifying, disabling, and removing accounts vi. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts vii. Notifying account managers when temporary accounts are no longer required and when information system users are terminated transferred, or information system usage or need-to­ know/need-to-share changes. viii. Deactivating: - temporary accounts that are no longer required; and - accounts of terminated or transferred users ix. Granting access to the system based on: - a valid access authorization; -intended system usage; and -other attributes as required by the organization or associated missions/business functions; and -Reviewing accounts. 3.3.3 Implementation of Account management 1. Internal revenue service (IRS) is an organization that deals with a wide range of users who will include: individuals, groups, the system administrators, guests and temporary users. 2. We set an automated mechanism which evaluates conditions for membership for each user: a) Any individual member must be at least 18 years of age. b) Each member must provide a national ID. No. or passport no. for registrations. c) Each group must comprise of at least five members 3. We also set up an automated mechanism to authorize the users of the information system and specify access privileges for each member. a) Individual users can modify and update their details and also view their Revenue details. b) Groups can also modify and update their details and also view their Revenue details. c) System administrators can login into the system and access all the available information any time they are require doing so. d) Guests may only be able to access general information regarding IRS. e) Temporary users will only be able to access minimal information awaiting authorization of individual accounts. 4. The system will create a temporary account for each member who applies for membership immediately their details are received. The information system will audit the details submitted by each applicant and verify the authenticity of the data then create an account or decline to create depending on the outcome of the verification process. The member will be supplied with a login ID and a password which they can modify. 6. Any time a member wishes to access the system, he will be required to enter his login ID and password and permission will be granted. 7. Any inactive account for a period of 6 months will be deactivated and deleted from the system. 8. All member accounts will be reviewed by IRS every 12 months to authenticate the information within them. References NIST Special Publication, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. National Institute of Standards and Technology Federal Information Processing Standards Publication 188, Standard Security Labels for Information Transfer, Sept 1994. Read More