To maintain the confidentiality, availability, and integrity of data, organizations should have proper logical access controls in place. Meaning the right person has access to the right data, and at the right time. Logical access controls should ensure appropriate segregation of conflicting duties; one person should not be able to initiate a transaction, authorize, and approve the transaction. Additionally, sensitive data should be protected by added levels of control (i.e. Multi-Factor Authentication).
Expert Opinion - Logical Access Control
Control Objective
Policy is documented, followed, reviewed, and updated regularly
Address onboarding, off-boarding, transition between roles, regular access reviews, limit and control use of administrator privileges, and inactivity timeouts
Employees/contractors/vendors should be provided only with the access they are authorized to use
Conflicting duties and areas of responsibility must be identified and segregated to reduce incidents of fraud and other abuse (separation of duties)
Multi-factor authentication is required for access to sensitive data from untrusted networks
System accounts unable to use multi-factor must leverage strong authentication (e.g.. password aging, length/complexity, history).