Access Control Lists
Access Control Lists
Do you know who has access to your most sensitive data? Access Control Lists (ACLs) are developed to place people into groups to access various types of information. For instance, your HR department has access to employee salary and performance information, training and certifications, and medical plans. Likewise, the finance department has access to financial contract information, salary information, tax information, possible inventory control information, and general accounting ledger information.
These are clear cut lines of authority – but what about Controlled Unclassified Information (CUI) produced for Federal contracts? Does everyone on the contract need to see this information? Does everyone need to see this information in final form? Does executive leadership need to see this information?
The Importance of
Enforcing Limited ACLs
The Government hired small companies to write manuals for research end products. The Government then lost billions of dollars in research and development due to compromised information from end-product research manuals. A large reason this occurred was because basic security controls such as ACLs were not properly designed or enforced, leading to vulnerabilities in the infrastructure.
Constantly Update ACLs
for Optimal Security
The problem with ACLs is that the people in them have multiple roles in the company or may take on other roles in the company that require the ACLs be updated. A security officer that now works in the finance department can be a very dangerous person if that individual has access to financial information and can still inspect and delete audit information. Likewise, employees that have been removed from the contract should not still be on any distribution list dealing with work product for that contract.
Recently, a co-worker who left his company confided in me that he was still able to log into his former company e-mail account. This access went on for 90 days.
Access Control Management
and NIST SP800-171
Access control management is 1 of 14 security disciplines that are checked in a NIST SP800-171 assessment. If you are a small business and expect to process or transmit Controlled Unclassified Information (CUI), you will need to conduct an assessment of your information technology and information assurance procedures. You also must present a body of Evidence as part of your contract requirements. ASCERTIS Solutions provides the expertise to quickly help you get assessed and authorized to meet your contractual requirements.
Can You Safely Self Assess NIST Standards?
Many small businesses that provide contract work to the Federal Government have limited security expertise in-house. As such, the first questions to ask is, “Do we have in-house expertise that understands the requirements of NIST 800-171?” If the answer is “no,” then avoid any company that allows you to self assess with their software. They are setting you up for failure. Having access to a software compiler does not make a person a software engineer; similarly, having access to security assessment software does not make a person a security assessor. If your company does not have several employees with a Certified Information System Security Professional (CISSP) or Certified Information Security Auditor (CISA) certification, then you need to hire a company that will guide you through the process.
Why ASCERTIS Solutions Fits Your Needs
With ASCERTIS Solutions, your company receives a good/better/best menu of controls that meet the key requirement of the controls. The description of the control is stated in plain English so that a non-security executive of the company can understand the requirements. The independent assessor (certifier) starts out by explaining the role of the Authorizing Official (usually the CEO or the CISO) in the process as well as the timeline to conduct the initial assessment. The application is designed so that a typical small company (75 to 150 employees) can complete an assessment in less than a week.