ISO/IEC 27001 Control 5.29: Information security during disruption
Control
The organization should plan how to maintain information security at an appropriate level during disruption.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint maintains all policies and rules during incident response. Pre-configure emergency access control can be used during incident response. Synchronization can be used to restore security after disruption.
Implementation Details
Policy-driven RBAC mechanism can be used to activate pre-configure emergency access control during disruption, providing controlled and panic-free elevation of privileges for incident responders. Simulation can be used to validate such pre-configured privileges and policies and their effect on the system, to make sure they can be used to maintain critical business processes following interruption or failure. Certification campaigns can be used to make sure emergency privileges are reviewed at regular intervals - both assignment of emergency privileges to users, as well as content of the emergency roles. Segregation of duties, information classification and other policy rules are still applied during disruption (e.g. incident), hindering attempts to create major access control breach by the attacker or the responders. Synchronization capability can be explicitly invoked during of after the disruption to make sure access control rules are still properly applied. Especially live synchronization can discover illegal accounts and privileges that were either created by attacker in almost-real-time. Other forms of synchronization can detect leftovers from incident response, to maintain security and compliance after the incident. Any illegal access can be automatically de-provisioned (deactivated) using synchronization reactions, or manually using activation schema and identity lifecycle controls. Provisioning consistency capability of midPoint automatically corrects all inconsistencies it discovers, including policy violations. Object marks can be used to mark suspicious accounts and roles during disruption for closer investigation at later date. Should there be a need to create a replacement system during disruption, midPoint RBAC mechanisms together with efficient provisioning engine can be used to quickly and automatically grant access to the replacement system, maintaining appropriate access levels for individual users. MidPoint audit trail records all changes that were made during disruption using midPoint, or that were discovered by midPoint. This information can be used to restore the appropriate level of security after disruption.
Rationale
MidPoint maintains policies during disruption, allowing preparation of emergency controls, and supports clean-up after disruption.
Related Features
-
Information classification (planned)
-
Policy (concept) (planned)
Related Controls
-
ISO/IEC 27001 5.24: Information security incident management planning and preparation
-
ISO/IEC 27001 5.25: Assessment and decision on information security events
-
ISO/IEC 27001 5.26: Response to information security incidents
-
ISO/IEC 27001 5.27: Learning from information security incidents
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services