ISO/IEC 27001 Control 5.10: Acceptable use of information and other associated assets
Control
Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.
Necessity of MidPoint
MidPoint is necessary to implement this control properly.
MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.
Implementation Overview
Access control mechanisms of midPoint can be used to manage and record access rights information.
Implementation Details
MidPoint maintains a record of the authorized users of information and other associated assets. MidPoint assignments provide a record of authorized uses of information, including meta-data recording reasons for assigning the rights to users. Role-based access control (RBAC), extended by policy-based RBAC (PD-RBAC), combined with organizational structure capabilities can be used to automate management of access rights, implementing rules for acceptable use of information. Classifications together with policy rules can be used to implement policy-based access restrictions supporting the protection requirements for each level of classification. Policy rules applied to classifications (or individually to assets) can be used to require appropriate information handling training, as a pre-requisite for gaining access to an asset. Notifications can be used to deliver guidance on acceptable use of the system at the moment the account is created on the system. MidPoint can use audit trail to record changes in access rights to assets. Object history feature can be used to reveal access rights or users related to an asset in the past.
Rationale
MidPoint has supporting features to manage acceptable use of information.
Related Features
Related Controls
-
ISO/IEC 27001 6.3: Information security awareness, education and training
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain