This is the first of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems,compliance. This entry covers the controls contained in the Access Control Policy and Procedures family.
What is it?
Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:use information,use information processing services, andenter company facilities.📷System-based access controls are called logical access controls. Logical access controls prescribe not only who or what (in the case of a process) is permitted to have access to a system resource, but also the type of access that is permitted. These controls may be built into the operating system, incorporated into applications programs or major utilities (e.g., database management systems, communications systems), or implemented through add-on security packages. Logical access controls may be implemented internally to the system being protected or in external devices. Examples of access control security requirements include account management, separation of duties, least privilege, session lock, information flow enforcement, and session termination.
How does Greenfield solve it?
Out of the box the Greenfield system meets nine of the twenty-two controls associated with this family. The simple to use and easy to follow Greenfield on-boarding process walks you through the necessary steps to implement the remaining thirteen controls.During the on-boarding process we establish and document key user roles and responsibilities to allow for easy enforcement of separation of duties. A Greenfield subscription provides the guidance required for client administrators to utilize AWS GovCloud Identity and Access Management (IAM) services to control who, how, when, and where data can be accessed. On Greenfield systems, each user has their own system account and the required audit logging is automatically configured. Greenfield Account Managers advise client administrators on how to best use Access Control Lists to selectively add (grant) certain permissions on individual objects, so that all actions are logged on a per-user basis. Additionally, during the on-boarding process we authorize and document interconnections between Greenfield and other systems and/or applications. Finally, we provide policy templates for Access Control, Data Handling and Storage, Mobile Devices, and Encryption.📷