ISO 27002 and Safeguarding Privileged Access
January 28, 2015 | Regulations, Audit & Compliance | John Worrall
The International Organization for Standardization (ISO) has published an updated International Electrotechnical Commission (IEC) 27002 standard that organizations the world over should follow as a basic, best practice for security. ISO/IEC 27002 is important because it provides an international framework that auditors rely on for verification of compliance with security mandates, and if the recent string of high-profile breaches in the past 12 months has taught us one thing it’s that best practices are still not being followed when it comes to general security considerations.
There’s a lot of good information in the updated standard and one key addition centers on privileged account management. The paper is dense with content – your typical standards framework – so we wrote a new white paper, “Safeguarding Privileged Access: Implementing ISO/IEC 27002 Security Controls with the CyberArk Solution,” that lays out a blueprint for implementing the CyberArk Privileged Account Security Solution to enforce controls pertaining to privileged access within the standard.
We all know that true security goes well beyond compliance, however, many organizations use the ISO/IEC standard as a starting point for their information security program. For large global enterprises that operate in multiple countries, it can be useful as a general controls framework to help achieve compliance with many country-specific regulations. For small-to-medium sized companies, it can be an effective tool in establishing more mature information security controls.
The recommendations stress the importance of managing privileged access rights in order to protect information. As our recent threat report showed, this is critical to thwarting advanced attacks. For example, in cases of termination or resignation, disgruntled employees or contractors can use their privileged access rights to deliberately corrupt or sabotage information, and/or be tempted to collect information for future use.
There are controls related to securing privileged accounts throughout the ISO/IEC 27002:2013 standard, including requirements for:
- Establishing and implementing privileged access policy
- Identifying the privileged access rights associated with each system or process
- Restricting the use of privileged access to authorized users based on functional roles
- Authenticating privileged users, ensuring individual accountability for privileged actions
- Changing default vendor passwords
- Restricting access to privileged utility programs
- Controlling privileged access by suppliers
- Logging and monitoring privileged access
If you’d like to learn more about the new standard, have a read through our paper, or listen to a recent webinar, outlining how to best protect privileged accounts to address the new controls.