ISO/IEC 27001 Control 5.33: Protection of records
Control
Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint has several mechanisms to ensure long-term retention of essential information.
Implementation Details
MidPoint can apply lifecycle models to all object types, including identities, policy and configuration objects. There is a built-in "archived" lifecycle state, which is supposed to mark objects stored for record-keeping purposes. Objects can be kept around in archived state as long as the legislation requires, e.g. as required by regulations regarding retention of employee data. Archived objects can be used to avoid re-use of identifiers, avoiding inconsistencies in long-term record-keeping. MidPoint records all activities in audit trail, which can be further processed and archived as permanent record. Data structure of the audit trail is publicly documented, using data formats that are very likely to remain readable in the future. MidPoint object language assists in long-term storage of objects, as the language is text-based (XML,JSON,YAML), clearly defined by schema and version controlled. Objects stored in midPoint object language are guaranteed to be readable and machine-processable in the foreseeable future. Authorizations can be used to limit access to information stored in midPoint repository, making sure that records have appropriate level of protection. E.g. special access control rules can be applied to archived data objects.
Implementation Notes
-
While audit trail provides detailed record of all activities, it is also quite demanding to store full audit trail for a long time. Retention of audit log data may be limited by other factors too, such as privacy regulations. Therefore, audit trails are frequently kept only for a limited time periods. However, midPoint meta-data can be used as a partial supplement for audit trail data, as the metadata record important moments of data lifetime. Metadata can be maintained for a very long period of time, providing essential record-keeping information even if detailed audit trail data are lost.
-
Information classification should be considered for retention of records. Application inventory, and especially the classification of applications can provide baseline data for setting up retention of information in individual systems. E.g. setting up policies to report inactive accounts in systems with respect to their classification, or setting up certification policies with an aim to remove unnecessary accounts.
Rationale
MidPoint provides supporting functionality for archival and long-term retention of identity-related data.