ISO/IEC 27001 Control 5.2: Information security roles and responsibilities

Information security roles and responsibilities should be defined and allocated according to the organization needs.

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

MidPoint provides essential management capabilities of roles and responsibilities by using its advanced role-based access control (RBAC) mechanisms.

Roles can be defined in midPoint, including all necessary privileges, role hierarchies, policies and descriptive data, especially for security personnel (e.g. security manager). Role governance can be managed in midPoint, recording business owners, custodians and approvers responsible for day-to-day operation. Such governance approach can be applied to roles, application catalog and other aspects of midPoint, getting governance closer to assets. Roles related to information security can be marked with pre-defined "Information security" classification, which will make sure the role are properly staffed and reported in dashboards. Regular information classifications can be used together with policy rules to make sure that all security personnel which are assigned sensitive roles satisfy requirements for such roles, such as clearance or training requirements. This can be used in reports and dashboards to manually remedy the situation. Role catalog can be used to organize roles according to various criteria. This functionality can be useful to organize roles according to security responsibilities. Approval process can be used to configure additional approval for security-sensitive rules, including an escalation mechanism for the approval process. Organizational structure can be used to assign collective responsibilities, e.g. common responsibilities and privileges of security teams. Escalation capability can be used to maintain accountability of upper management, making sure that the delegated responsibilities are conducted in a timely manner. Simulation capability can be used to predict effects of role model changes. Application inventory can be combined with concept of "relation" and policy rules to make sure every application (asset) is properly owned.

MidPoint is necessary for consistent application of security roles and responsibilities. Security personnel often have elevated privileges. MidPoint can make sure the privileges are properly recorded, that they are automatically revoked when needed, that the privileges are regularly re-certified. While, in theory, this can be done manually, it is not practical and there may be issues in consistent management of privileges and their timely revocation.