A.5.18 Access Rights would include:
-
Access Control Policy: Documentation of an access control policy that outlines the principles and guidelines for granting and managing access rights to information assets and resources.
-
User Roles and Responsibilities: Documentation of defined user roles and their corresponding responsibilities, including permissions, privileges, and restrictions associated with each role.
-
User Access Requests: Records of user access requests, including the process followed for requesting access, approval workflows, and documentation of authorized access.
-
Access Provisioning and De-provisioning: Evidence of processes and procedures for provisioning new users with appropriate access rights and promptly de-provisioning access when employees change roles, leave the organization, or no longer require access.
-
Least Privilege Principle: Documentation of the implementation of the least privilege principle, ensuring that users are granted the minimum necessary access required to perform their job tasks.
-
Separation of Duties: Documentation of how access rights are allocated to prevent conflicts of interest and fraud, ensuring that no single user has excessive access to critical functions.
-
Access Reviews and Audits: Records of periodic access reviews and audits conducted to ensure that access rights remain appropriate and aligned with job roles and responsibilities.
-
Access Control Mechanisms: Documentation of technical controls used to enforce access rights, such as access control lists (ACLs), role-based access control (RBAC), and attribute-based access control (ABAC) mechanisms.
-
User Account Management: Proof of mechanisms to manage user accounts, including account creation, modification, suspension, reactivation, and account termination.
-
User Authentication: Evidence of authentication mechanisms used to verify the identity of users before granting access, ensuring only authorized users gain entry.
-
Monitoring and Logging: Documentation of monitoring and logging mechanisms that track access activities, failed and successful access attempts, and user actions within the systems.
-
Incident Response Plans: Documentation of plans outlining how the organization responds to unauthorized access incidents or breaches of access rights.
-
Privileged Access Management: Information about controls in place to manage and monitor privileged access to critical systems and resources.
-
Access Control Testing: Records of assessments or tests conducted to evaluate the effectiveness of access controls, identify vulnerabilities, and ensure compliance.
-
Training and Awareness: Documentation of training and awareness programs provided to employees regarding access rights, privileges, and security practices.
By examining these pieces of evidence, an auditor can assess whether the organization has implemented effective access control mechanisms, policies, and procedures to ensure that users have appropriate access to information assets while preventing unauthorized access and maintaining data confidentiality, integrity, and availability.
