Logical Access Control
To maintain the confidentiality, availability, and integrity of data, organizations should have proper logical access controls in place. Meaning the right person has access to the right data, and at the right time. Logical access controls should ensure appropriate segregation of conflicting duties; one person should not be able to initiate a transaction, authorize, and approve the transaction. Additionally, sensitive data should protected by added levels of control (i.e. Multi-Factor Authentication).
- Policy is documented, followed, reviewed, and updated regularly
- Address onboarding, off-boarding, transition between roles, regular access reviews, limit and control use of administrator privileges, and inactivity timeouts
- Employees/contractors/vendors should be provided only with the access they are authorized to use
- Conflicting duties and areas of responsibility must be identified and segregated to reduce incidents of fraud and other abuse (separation of duties)
- Multi-factor authentication is required for access to sensitive data from untrusted networks
- System accounts unable to use multi-factor must leverage strong authentication (e.g.. password aging, length/complexity, history).