Compliance Design Notes

dictionary check: enabled by default? Not showing in GUI. (ISO 27001 5.17)

dictionary check for combination of dictionary words. (ISO 27001 5.17)

Forcing password change on next login: how can we make it easier to set up? (ISO 27001 5.17)

Closer integration with AM/SSO? Force password change, last login, etc. (ISO 27001 5.17)

enforcing different passwords on resources (ISO 27001 5.17 (D))

enforcing different password for administrator personas (ISO 27001 8.2)

"users acknowledge receipt of authentication information" (ISO 27001 5.17)

(!!!) Force change of pre-configured administrator password on first login (ISO 27001 5.17)

maximum number of password changes per time (e.g. per day) (ENISA-baseline)

"prevent the use of commonly-used passwords and compromised usernames, password combinations from hacked systems" (ISO 27001 5.17)

Guidance for end-users how to use password on pages that deal with passwords (ISO 27001 5.17)

Clean up documentation for password reset (it is in really bad shape)

Check that we use "approved cryptographic techniques for passwords" (encryption, hashing) (ISO 27001 5.17)

Password policy, finer granularity for application. E.g. if somebody has ability for remote access (role,classification), he should have stronger password policy. (ISO27001 6.7)

Privileged access (ISO 27001 5.15, 5.18, 8.2, 8.9)

authorization and classifications: consider classification level (e.g. privileged) in assign/unassign authorization statements. E.g. grant ability to assign roles to delegated administrators, except for roles that contain privileged access. Do we need mark here instead of classification? How we are going to distinguish business roles that have privileged access? They are not explicitly classified as privileged. (ISO27001 8.2)

requirement constraint (ISO 27001 5.13, 5.8) ✓

Error messages and overall presentation of policy rule violations. Current error message looks like:

min/max assignees: considering all users or active users (ISO27001 5.36)

Better GUI. E.g. enforce action is not even shown in current GUI.

Show evaluated policy rules or marks in GUI. E.g. I want to see that role has violated minAssignee constraint when I look at role details.

Policy rule exceptions and exception approvals - make sure they work. Use cases: SoD exceptions, classification violation exceptions, clearance exceptions. (ISO 27001 5.3, 8.7)

Policy rule exception validity, i.e. exception for a short time period. (ISO 27001 5.3, 8.7)

Policy rule exception review (certifications) (ISO 27001 5.3, 8.7)

Index/search all objects that have policy rule (specific constraint, markRef and action report/enforcement) (ISO 27001 5.3, 5.36)

minAssignments/maxAssignments constraints? E.g. applications without classification (ISO27001 5.12, 5.13)

Could we make the rules smarter to tolerate existing violations? E.g. if a user has SoD violations, we could still allow normal operations to proceed, as long as they are not creating new violation.

Use case of lost clearance: remove/deactivate all assignments that require the clearance. (ISO27001 5.12, 5.13)

Policy action: inactivate. E.g. automatic inactivation of user that lost required clearance. Question: inactivation of user? Or assignments? (ISO27001 5.12, 5.13)

Determine purpose/lifecycle of policy rule? E.g. distinction between report policy rule that is being rolled out (to be set to enforce later), and rule that is mean to report only, meant as a final measure. (ISO27001 5.36)

minAssignee/maxAssignee: ability to require active assignees, not just any assignees.

minAssignee/maxAssignee: when it points to org, make sure that org has at least one active member.

Constraint: object/assignment is about to expire in X days (ISO27001 6.3)

Nice to have: Rule for requirements in team composition. E.g. a supplier must have at least on CISO-certifified (clearance) user in the team. A project must have at least one member from security department.

Idea: new reaction to increase/decrease risk score (risk management)

Idea: policy rules could trigger security event (whatever that means). Non-compliance with policy can be considered security event. This can lead to notification, sending of "signal", etc.

Constraint: presence of object mark. E.g. prohibit assigned of new privileged access to a user who is suspicious or subject to disciplinary action. (ISO27001 6.4)

Marks should have a "retention" setting, specifying whether the mark could be cleared automatically (e.g. by policy rule going "off"), or it should be retained until cleared manually by system administrator. This would be useful for marking objects with modification constraint, policy rule setting the mark, but it has to be manually cleared when modification is reviewed. It may be also useful for setting up policy rules that set suspicious mark for some combinations of states/attributes (also as "modification" constraint). We want to retain that mark until it is manually reviewed and cleared.

Marks could have "warning" setting. If active, GUI would warn user that object has a mark - or that an operation results in object getting a mark. The warning will be displayed after the operation is completed, or on preview page. E.g. assigning a conflicting role resulted in "exclusionViolation" mark. E.g. removing a classification assignment from an application did result in getting "unclassified" mark on object. Also show the warning in shopping cart, e.g. when conflicting roles are selected. This should be a warning, not a hard error.

The "warning" setting could influence how prominently is the mark displayed in the GUI, e.g. whether it should be shown in object lists, object details, summary panels, etc.

Mark types: operational, policy violation, note, simulation, …​ (aux archetypes?) E.g. I want to list all objects that have any policy violation. (ISO27001 5.18, 5.19)

Colors for marks. E.g. I want all policy violations to be bright red. (Also see above)

Marks and authorizations: can we delegate management of specific marks to operators? E.g. can we delegate users to be able to set suspicious mark, but not be able to unset it? (ISO27001 6.8)

Show marks in object details

Better support for custom assignment panels. E.g. show assignments with particular archetype (classifiation,clearance), also the "assign" button should only list targets of that archetype.

Dashboard widgets that can show/list objects of generic types, such as AssignmentHolderType or AbstractRoleType, or even ObjectType. Currently, these widgets do not have the "More info" link to list objects.

Default column for roles: "number of members" instead of "projections"

Default column for application roles: application

Default column for applications: "owner" instead of "projections"

Default column for applications: classification

Better GUI for policy rules. E.g. enforce action is not even shown in current GUI.

Clearly show that particular access is privileged, use special label, mark, icon whatever.

Nicer icon for Application archetype. Cloud icon means stock Service, we should distinguish application somehow.

Show classifications in access request and approvals. (ISO27001 5.13)

More information for widgets: some way how to get more detailed description of widget, explaining what the widget shows. Maybe tooltip? Maybe something longer? Maybe click on "more info" should show description (with some nice icon) on top of the search list?

"Back" button is missing when clicking on dashboard widget "more info" link.

Separators/rows in dashboards, or some other ways to organize widgets (nice to have)

assignmentRelation is ignored when specified directly in assignment in orgs.

Type field on organizational hierarchy should either be pre-set to ObjectType, or it should have sensible default settings based on assignmentRelation.

Applicable policies panel: display descriptions (e.g. as tooltips?)

Tooltips for object icons - should display archetype names when no explicit tooltip is defined in archetype

display specification for ObjectType. This is especially useful for one-off objects, such as roots of organizational hierarchies. Also useful for classifications, e.g. setting color for classification level.

Global policy rule which states that if role has any approvers, the approvers must approve the request. This is hardcoded (useDefaultApprovalPolicyRules in systconfig). Do we have a test for this case? Problem: 9951

Rule of 4 eyes: requestor cannot be approver, even if he is specified as approved in the policy (ISO 27001 5.15, 5.18)

Handling of situation when there are no valid approvers, e.g. in case the "rule of 4 eyes" disqualified the only approver. (ISO 27001 5.15)

Smarter library functions to determine approvers/owners for approval purposes: If a role does not have approver, use owner. If an application role does not have approver/owner, use application approver/owner. If role belongs to an org, use org manager/owner.

"skip approval" operation option for administrators, e.g. when admin assigns a role directly as part of system setup. Mark that operation in audit as well.

New notification event, triggers when gaining access to something (e.g. first assignment of application, even indirectly). Can be used to deliver the acceptable use statement using notifications. Can be used for "you have privileged access now, you should behave" notification Pre-configuring notifications for this. (higher priority) (ISO 27001 5.10, 8.2)

Ability to limit certification scope for targets (e.g. use specific archetype (classifications, clearances)) - filter for targets? Note: we have itemSelectionExpression, which could be probably used, but it is going to be very cumbersome and probably also quite slow? (ISO27001 5.12, 5.13, 6.1, 6.3)

GUI: Easy certification of clearances and classifications: easy to select scope (target archetypes: all clearances, specific clearance/classification, etc.) (ISO27001 5.12, 5.13, 6.1, 6.3)

Certification of role/application owners/approvers. (ISO27001 5.1, 8.9)

Certification of other parts of (abstract) role, most notably policy rules. For ISO 27001 5.12, re-certification of policy rules included in classification definitions. (ISO27001 5.12, 6.6)

Action button: replace assignment. Used to replace classification (e.g. change Cat.II system to Cat.III). The goal is not to remove the assignment, the goal is to keep the assignment. However, target of assignment may be different (better). The policy should make sure that there is at least one assignment of specific type (e.g. classification) after the campaign is done. (ISO27001 5.12, 5.13)

Make sure that the campaign can be started automatically, e.g. every year. Used to make sure a review policy is automatically enforced, e.g. make sure clearances are reviewed every year. (ISO27001 6.1, 6.3)

Make sure certification history is kept in some permanent place. E.g. we need to prove to an auditor that we have re-certified clearances every year. (ISO27001 6.1, 6.3)

Pre-define certification (campaigns and micro) for privileged access rights.

information for reviewer: how many times this was certified/approved previously? (ISO27001 5.36)

Limit number of times that it is allowed to be certified (e.g. for policy rule exceptions). (ISO27001 5.36)

Certification action to set/remove specific mark. E.g. an action to remove suspicious mark, once the suspicious object was reviewed. (ISO27001 6.8)

Highlight/mark privileged access in certification decisions. Make sure that the certifier is aware that the assignment includes privileged access. (ISO27001 8.2)

Mark the campaigns and microcertification rules somehow, to be able to find related objects. E.g. list all certifications that deal with privileged access. Can we somehow use references to regulations? E.g. look for all "things" that deal with ISO27001-8.2 should provide all "things" that deal with prvileged access. (ISO27001 8.2)

Ability to review item values. E.g. certification campaign that makes sure privileged roles have valid description/documentation. (ISO27001 8.2)

Micro-certification triggers: risk threshold, outlier threshold, timeout (not certified for long time)

Missing lifecycle state with combination: focus active, assignments inactive

Extend lifecycle states for pilot and roll-out? This can be useful for applications, to better show their state. Also for policies (PolicyType), e.g. rollout rules are just recording and cleaning up the data, while active are supposed to be final state, enforcing (may still just report, tough, yet the data are supposed to cleaned up already). Can be used to dashboard the rules, e.g. list all policies that we are currently rolling-out or piloting.

Make sure information erasure works (for privacy) (ISO27001 5.34, GDPR)

Select which assignments are considered active in archived state. E.g. we want to de-activate all organizational and role assignments, but we may want to keep clearances active, to indicate remaining responsibilities. E.g. people that were given access to intellectual property may have obligations to keep secrets even after their employment is terminated. There may be SoD for clearances, e.g. an employee that worked for client A cannot work for client B, not even in the future. It may be important to retain the clearance active even for archived users, as the user may be re-hired and re-activated. (ISO27001 6.5)

Select which assignments to keep in archived state ("termination of employment"). E.g. we want to keep org assignments in inactive state, we want to keep clearances (NDA) to indicate that the user has responsibility to keep secrets even after the employment was terminated. (ISO27001 6.5)

Selective "reaping" of archived objects. E.g. we want to keep ordinary archived users for 2 years, then delete them. However, if s user has valid NDA (clearance), we want to keep the record for as long as the NDA is valid.

Record reasons when lifecycle state changes, e.g. reason for employment termination when deactivating user. This may also influence policies, e.g. priority deactivation (high-priority tickets) vs normal deactivation vs delayed deactivation. (ISO27001 5.18)

Finish concept of "application inventory", how it is supposed to be used normally, what data we want to store about applications, do we want to sync data to midPoint, or is midPoint going to be authoritative …​ what is the common case? Also, relation to classification and other ISO controls and features. We have to finish this, otherwise we have strange things in GUI such as confusing "Inventory records" label for application projections.

Introduce "asset" as a first-class citizen in midPoint (later, in synergy with risk assessment). What is relation to asset to application? Is is (is it related to) the "Application component" concept that sometimes use?

Default risk of application role may be given by application information label, e.g. all category III applications imply high risk for their application roles.

"Reactive" privileges

Flag for org, whether it should be considered root of hierarchical org structure. We may not need root objects for many flat structures, such as projects or teams. Archetype is enough in this case. Automatic detection of org roots make problems in this case, as it detects all projects and teams as org roots. It may cause a different kind of problems when organizations are placed into locations, which makes the organization disappear as root of the tree.

Smarter recompute. We want to recompute objects that are (indirectly) affected by policy rules. E.g. we want to recompute role with minAssignee rule when it was assigned/unassigned. In that case we are recomputing user, not the role. The underassigned mark on the role does not get automatically set/unset, until the role is explicitly recomputed. Note: this is an (almost) opposite of the usercase for recomputing memebers when role definition changes.

midScribe documentation (ISO27001 5.31)

IMPORTANT: enforce MFA for users that have privileged access

Negative assignment ("exception from rule") (ISO27001 6.4)

Making sure that certain requirements are fulfilled before assignment is assigned or activated. (ISO 27001 5.12, 5.13, 5.14, 5.20)

Make sure we can read and use last login from the resources (e.g. report unused accounts/users)

Make sure we can read number of failed login attempts from the resources (CZ NIS 2)

Sync mechanism or mapping that is summarizing (adding up) values from projections, e.g. total number of failed login attempts across all accounts.

Acceptable use (ISO 27001 5.10, 8.2)

Shared accounts (ISO 27001 5.16 (b))

Support for passkeys and other non-password credentials? (ISO 27001 5.17) (ISO 24760)

Step-up authentication and/or re-authentication in midPoint GUI. E.g. allow user to access end-user GUI with just a password. Require second factor (or re-entry of password) when entering administration zone. Clear indication in the GUI that we have administration privileges now. (ISO27001 8.2, 8.5)

"Comparative" mappings: mappings that can detect and report that a value was changed on resource. They do not necessarily change the value. This can be used for preparing midPoint deployment, assessing the changes that midPoint would do (note: this can be partially provided by similations). It may be used to detect and report policy violations (on ongoing basis). It may be used to detect local changes by system administrator. (ISO 27001 8.9)

Risk control related to external identities (social login) (ISO 27001 5.16, 5.19, 5.17)

Alerting: ability to send alerts (high-priority notifications) to users, and also to other systems (SIEM, threat detection): a.k.a. "risk signals" - use Shared Signals? Extend notification for user alerting? (ISO 27001 8.5)

Improve instructions on initial password delivery and self-service password reset

Flexible auth: limit connection times, e.g. allow login only during work hours.

Resource wizard improvements to warn about incomplete and insecure resource configurations. E.g. weak password for admin account, not using TLS, etc. We probably need support for that in the connector? The connector may do more, such as check if directory is world-readable, whether admin account is used directly, check whether administrator passwords were changed (are not factory-default), etc. (ISO 27001 8.9)

Check that we can control retention of temporary/operational data everywhere. E.g. check that old audit records are deleted, logs rotated, old dead shadows deleted, operational data removed from objects (e.g. operation executions), etc. (ISO 27001 5.33)

Password management: to pass ISO27001 requirements

PolicyType ✓

Object marks for all object types ✓

Policy rules to use marks instead of policySituation ✓

Auxiliary archetypes in GUI, they are almost useless now. Please, make them work! Pretty please.

Privileged classification for (application) roles and entitlements. Show that in GUI, at least in object details. Allow to search users/roles that have this classification.

Ability to mark object by arbitrary object mark in GUI. (#9842) ✓

Show effective marks in object lists and object details (GUI). (#9843) ✓

Show effective assignment marks in list of all assignments (GUI). (#9844) ✓ E.g. show that a certain assignment has SoD violation mark.

Policy rules

Certifications: Make sure we can certify clearances

Make sure we can read and use last login from the resources (e.g. report unused accounts/users)

Detect extra (unknown) members in groups. This is critical especially for groups that provide privileged access. (ISO27001 8.2)

Make Privileged Access label (classification) much more visible in GUI. Display it at prominent location in details page, maybe find a way how to mark it in lists. Mark privileged access in certifications. (ISO 27001 5.13, 5.18)

Classifications: prominent place in GUI, pass through inducements, searching, reporting. See Classification Improvements. (ISO27001 5.13)

Policy rules

Review database permissions. Can we make audit trail insert-only? (ISO27001 5.28)

ConnId pre-defined attribute PRIVILEGED_ACCESS, can be used for groups such as Domain Administrators or accounts such as root.

Ability to set Privileged Access classification on application roles that originated from groups marked as privileged by the connector.

Better GUI support for custom assignment panels. E.g. show assignments with particular archetype (classifiation,clearance), also the "assign" button should only list targets of that archetype. (ISO27001 5.13)

Negative assignment ("exception from rule") (ISO27001 6.4)

Approval improvements

New notification event, triggers when gaining access to something (e.g. first assignment of application, even indirectly). Can be used to deliver the acceptable use statement using notifications. Can be used for "you have privileged access now, you should behave" notification Pre-configuring notifications for this. (higher priority) (ISO 27001 5.10, 8.2)

Make sure we can read number of failed login attempts from the resources (CZ NIS 2)

** Finish concept of "application inventory" (design)

midScribe documentation (ISO27001 5.31)

Flag for org, whether it should be considered root of hierarchical org structure. We may not need root objects for many flat structures, such as projects or teams. Archetype is enough in this case. Automatic detection of org roots make problems in this case, as it detects all projects and teams as org roots.

On-demand privileges (just-in-time privileges): allow selected users to gain privileges by "activating" them in midPoint GUI. ISO27001 is very explicit (8.2) about not assigning privileged access permanently. E.g. ""allocating privileged access rights to users as needed and on an event-by-event basis", "defining and implementing requirements for expiry of privileged access rights". See description below for more details. (ISO27001 5.15, 5.18, 8.2)

Number of active users (dashboard only?) (ISO 27001 5.16)

Number of archived users (dashboard only?) (ISO 27001 5.16)

Temporarily inactive users (exclude archived users) (ISO 27001 5.16)

Suspicious objects (ISO27001 5.27, 5.28, 5.29)

Manual data overrides (fixed HR errors)

Users without organizational assignments (no org, no project, …​)

Number of all accounts (all resources) (ISO 27001 5.32)

Number of active accounts (all resources) (ISO 27001 5.32)

Number of active accounts per resource (e.g. for license management) (ISO 27001 5.32)

Number of job titles

Top job titles

Number of locations

Largest locations by number of users

All policies (PolicyType?) - is this useful? (ISO 27001 5.1, 5.36)

All policy rules with:

All policy violations (ISO 27001 5.1, 5.36)

All special cases (approved exceptions from policy rules) (ISO 27001 5.1?, 5.2, 5.36)

Report security roles and their assignments (5.2)

Report all security roles that are not properly staffed (5.2) ✓

SoD policies: all roles with SoD exclusions. All SoD policy rules. Nice to have: all roles that are subject to SoD policy rules (even indirectly). (ISO 27001 5.3)

SoD violations (ISO 27001 5.3)

SoD exceptions (approved violations) (ISO 27001 5.3)

Suspicious objects (mark) (ISO27001 5.27, 5.28, 5.29) ✓

Roles without owners. ✓ Application roles without owners. Business roles without owners. Etc. (ISO 27001 5.2)

Applications without owners. (ISO 27001 5.2, 5.9, 8.8) ✓

Applications without classification. (ISO 27001 5.9, 5.12, 5.13, 5.14)

Application roles without inducement to application. Mark as configuration error? (would be nice to show in admin dashboard too, as config error?)

Accounts that are not managed by midPoint. This report is IMPORTANT aspect of risk management! (ISO27001 5.15,5.16,5.18,5.34,8.3,8.9)

Access rights that are not managed by midPoint - at least list of unmanaged groups. This report is IMPORTANT aspect of risk management! (ISO27001 5.15,5.16,5.18,5.34,8.3,8.9)

Requestable roles without approvers. (ISO 27001 5.2, 5.15, 5.18)

Proposed roles. (ISO 27001 5.15, 5.18)

Deprecated roles. (ISO 27001 5.15, 5.18)

Assignments of deprecated roles. (ISO 27001 5.15, 5.18)

Assignments to archived objects. (ISO 27001 5.15, 5.18)

Active projects without managers (ISO 27001 5.8)

Staff shortage (dashboard): projects and teams with vacancies at important positions. (ISO 27001 5.2, 5.8, 8.6)

Understaffed security positions: use Understaffed security mark.

Neglected roles and apps (roles/apps without owner).

Orphaned accounts (ISO 27001 5.16)

Identities with privileged access (ISO27001 8.2)

Application roles providing privileged access. (ISO27001 8.2)

Business roles providing privileged access. (ISO27001 8.2)

Application roles providing privileged access without owners. (ISO27001 8.2)

Business roles providing privileged access without owners. This is more important than application roles, as we want to make sure there is someone to regularly re-certify role definitions. (ISO27001 8.2)

Application roles providing privileged access - summary per application/resource. (ISO27001 8.2)

Users with privileged access - summary per application/resource. "identifying users who need privileged access rights for each system or process" (ISO27001 8.2)

Privilege assignments to review - manual assignments that were not certified recently. (ISO 27001 5.18, 8.2)

Roles providing privileged access that were not certified in a long time. (Especially business roles) (ISO27001 8.2)

Privileged roles that do not have description/documentation. (ISO27001 8.2)

Dormant users / sleepers (users without any assignments/privileges) (ISO 27001 5.16)

"Standing privilege" - manual assignments, including access request (ISO 27001 5.15, 5.18)

Unused accounts. Accounts not used for X months. (ISO 27001 5.32, 8.9)

Unused accounts per application. Number/percentage of unused accounts per application. Average usage frequency per application (e.g. users accessing the app once per week on overage) (ISO 27001 5.32, 8.9)

Unused users. Users that have not logged in to any account (or midPoint) for X months. (ISO 27001 5.32, 8.9)

Accounts that were never used (never logged in).

users that haven’t changed password in long time

Organizational units without managers

Users with large number of failed logins

list of clearances applied to users, dates, review dates, certifier, approver, etc. (ISO27001 6.1, 6.3)

list of clearances that are about to expire (also dashboard) (ISO27001 6.1, 6.3)

list of expired clearances (ISO27001 6.1, 6.3)

list of clearances that were not certified for a long time (ISO27001 6.1, 6.3)

list of all clearance violations, assigned role is requiring clearance that is not present (ISO27001 6.1, 6.3)

Who is approver of what? List of explicit approvers for roles (assign, modify, etc.) (ISO27001 5.37)

List of users that have acces to specific location/perimenter (org,location) - even indirectly. (ISO27001 7.2)

List of devices by user classification level - to detect which devices may contain sensitive data, e.g. detect where sensitive data could be stored in BYOD device (ISO27001 8.1)

Accounts with requirement for MFA / Strong Authentication. (ISO27001 8.5)

Roles/applications/classifications that mandate MFA / Strong Authentication. (ISO27001 8.5)

list of roles that provide access to personal data (ISO27001 5.34)

list of users that have access to personal data (ISO27001 5.34)

changes in time (e.g. "5 people gained access to personal data yesterday") (ISO27001 5.34)

Number of roles by type (ISO 27001 5.1, 5.15, 5.18)

Access included in roles (%) (ISO 27001 5.1, 5.15, 5.18)

Access included in business roles (%) (ISO 27001 5.1, 5.15, 5.18)

Identities with access from roles (%) (ISO 27001 5.1, 5.15, 5.18)

Unused roles (roles without active assignment) (ISO 27001 5.1, 5.15, 5.18)

Number/list of manually assigned roles (assignemnts) (ISO27001 5.15, 5.36)

Number/list of roles assigned through request/approval process (assignemnts) (ISO27001 5.15, 5.36)

Number/list of automatically assigned roles (assignemnts) (ISO27001 5.15, 5.36)

Dashboard: number of manually assigned roles vs automatically assigned roles (ISO27001 5.15, 5.36)

Number/list of deprecated/proposed/active/suspended roles. (ISO27001 5.15, 5.36)

Idea: some role hierarchy metric? How many roles are included in other roles?

All accounts created/deleted on resource (ISO 27001 5.10, 5.16, 5.18)

Roles assigned/unsassigned, automatically/manually (ISO 27001 5.10, 5.16, 5.18)

Password changes

Access requests

Authentications (to midPoint)

REST service access

Provisioning operations

Service (application) accounts with passwords that were not changed in a looong time (e.g. 5 years)

Currently active "emergency mode(s)"

Roles with special meaning for incident response, e.g. that include emergency privileges

Under-assigned roles with special meaning for incident response

Last activation of emergency mode (e.g. "X days without an incident")

Objects with the highest risk (top 10)

High-risk roles

High-risk users

Application that were not used recently.

Vastly over-provisioned applications. Applications that are used only by a small fraction of users that have access to them.

Emergency mode and automatic activation of emergency privileges (activation of prepared emergency plans). Scenarios: security incident, business continuity, disaster

Break-glass operations

What is "asset"? definition of "asset". This is harder than it seems!

Asset as auxiliary archetype? Or mark? Special flag? Hardcoded? Assets can be: applications, devices, computers (desktops), servers, virtual machines, databases, datasets, …​ How do we say that all applications are assets? All servers are assets? Assets can form hierarchies (DAGs), e.g. dataset is stored in application which runs on server (see below).

NIST IR 7693 Specification for Asset Identification 1.1 has data model for asset management, relations such as partOf, isOwnerOf, connectedTo.

Asset discovery: automatic process scanning networks and applications.

Authoritative and accurate source of information. Asset identifiers. Regular review. Assign confidence or last seen or last review timestamp. Software type and version, SBOM? (for vulnerability management).

Asset owners: each asset should have an owner, a person responsible for the asset

Integrations: monitoring, CMDB

"physical, virtual and cloud resources, along with your organisation’s Internet presence, in the form of social media accounts, domain name registrations, IP address spaces and digital certificates"

Procedures to make sure all assets are registered - to avoid shadow IT. E.g. Assign DNS name only to registered assets. Issue TLS certificate only to registered assets. Grant access to other systems (service accounts) only to registered assets.

Idea: recording/tracing location of assets? E.g. current location of dossiers (office, work, on-premise/off-premise). (ISO27001 7.9)