Protecting PII with Robust System and Application Access Controls
Placing access restrictions upon business critical tasks, assets and procedures is a fundamental aspect of both protecting PII, and ensuring that privacy-related applications and systems are free from corruption, misuse or deletion.
ISO 27701 6.6.4 outlines a variety of measures – from authentication controls through to source code management and the use of privileged utility programs – that allow organisations to exercise granular control over who and what is allowed to access their network, and through what means.
What’s Covered in ISO 27701 Clause 6.6.4
ISO 27701 6.6.4 contains five sub-clauses that deal with the above topics. Each sub-clause contains guidance information from a variety of sub-clauses within ISO 27002, but delivered within the context of PII security, and privacy protection:
- ISO 27701 6.6.4.1 – Information access restrictions (References ISO 27002 control 8.3).
- ISO 27701 6.6.4.2 – Secure log-on procedures (References ISO 27002 control 8.5).
- ISO 27701 6.6.4.3 – Password management system (References ISO 27002 control 5.17).
- ISO 27701 6.6.4.4 – Use of privileged utility programs (References ISO 27002 control 8.18).
- ISO 27701 6.6.4.5 – Access control to program source code (References ISO 27002 control 8.4).
Sub-clause 6.6.4.2 contains further guidance on applicable articles within UK GDPR legislation (Article 5 [1][f]).
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
ISO 27701 Clause 6.6.4.1 – Removal or Adjustment of Access Rights
References ISO 27002 Control 8.3
To control PII and privacy-related information, and in support of access restriction measures, organisations should:
- Prevent anonymous access to PII, including public access.
- Maintain privacy systems, and any associated business applications or processes.
- Administer access to PII on a user-by-user basis.
- Manage PII access rights on a granular level (read, write, delete and execute).
- Separate critical privacy processes and applications using a combination of physical and logical access controls.
Dynamic Access Management
ISO advocates for a dynamic approach to information access, that extends to PII and privacy systems.
Dynamic access management allows organisations to share or use internal data with external users, to affect faster incident resolution times (a key requirement of PII-related incidents).
Organisations should consider implementing dynamic access management when:
- Exercising granular control over what data human and non-human users are able to access.
- Sharing information with suppliers, law enforcement organisations or regulatory bodies.
- Adopting a “real-time” approach to PII management (monitoring and managing PII use as it occurs).
- Protecting PII against unauthorised amendments, sharing or output (printing etc).
- Monitoring/auditing the access to and changing of privacy-related information.
- Developing a process that governs the operation and monitoring of data, including a reporting process.
Dynamic access management should protect data by:
- Access is achieved through a robust authentication process.
- Enabling restricted access.
- Encryption.
- Secure printing permissions.
- Logging who accesses PII, and how PII data is being used.
- Implementing an alerts procedure that flags up inappropriate PII use.
ISO 27701 Clause 6.6.4.2 – Secure Log-on Procedures
References ISO 27002 Control 8.5
PII and privacy-related assets need to be stored on a network that features a range of authentication controls, including:
- Multi-factor authentication (MFA).
- Digital certificates.
- Smart cards/fobs.
- Biometric verification.
- Secure tokens.
To prevent and minimise the risk of unauthorised access to PII, organisations should:
- Prevent the display of PII on a monitor or endpoint device, until a user has successfully authenticated.
- Give would-be users a clear warning – before any login is attempted – which outlines the sensitive nature of the data they are about to access.
- Be wary of providing too much assistance throughout the authentication process (i.e. explaining which part of a failed login attempt is invalid).
- Deploy best practice security measures, including:
- CAPTCHA technology.
- Forcing password resets and/or temporarily preventing logins following several failed attempts.
- Log failed login attempts for further analysis and/or dissemination to law-enforcement agencies.
- Initiate a security incident whenever a major login discrepancy is detected, or the organisation discovers an authentication anomaly that has the potential to affect PII.
- Relay authentication logs – containing last logon attempt and failed login information – to a separate data source.
- Only output password data as abstract symbols), unless the user has accessibility/vision issues.
- Prevent the sharing of any and all authentication data.
- Kill dormant login sessions, especially where PII is being utilised in remote working environments, or on BYOD assets.
- Place a time limit on authenticated sessions, especially those that are actively accessing PII.
Applicable GDPR Articles
- Article 5 – (1)(f)
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 6.6.4.3 – Password Management System
References ISO 27002 Control 5.17
Authentication details should be distributed and managed so that:
- Automatically-generated authentication information (passwords etc.) are kept secret from anyone not authorised to used them, aren’t guessable and are managed in a way that forces a user to change them after initial login.
- Before issuing or replacing authentication details, procedures are put in place to verify the identity of the individual who requires them.
- The correct secure channels are used to transmit authentication details (i.e not via email).
- After the details have been successfully communicate to whomever needs them, the user(s) acknowledge receipt in a timely manner.
- Any vendor-provided authentication information (such as the default username and password routers and firewalls) is changed upon receipt.
- Records are kept of relevant authentication events – especially regarding the initial allocation and subsequent administration of authentication details.
Any personnel who uses organisational authentication information should ensure that:
- All authentication details are kept strictly confidential.
- If authentication details are either compromised, viewed or shared by anyone other than the original owner, such details are changed immediately.
- Any passwords are created and/or generated in line with the organisation’s password policy, and passwords are unique across various different platforms (i.e. domain passwords are not the same as cloud service passwords).
- Contracts of employment contain an explicit requirement to follow company password policy (see ISO 27002 6.2).
Password Management Systems
Organisations should implement a password management system that:
- Caters for users who need to change any password that they use.
- Is programmed to reject passwords that fall outside of best practice guidelines.
- Forces users to change their system-generated password, after they use it for the first time.
- Does not permit the continued use of old passwords, or similar phrases and alphanumeric combinations.
- Hides passwords whilst they are being inputted.
- Stores and sends password information in a secure manner.
- Caters for password encryption and similar encryption techniques (see ISO 27002 8.24).
To safeguard PII and improve organisational privacy protection efforts, passwords should follow four guiding principles:
- Passwords shouldn’t be constructed around guessable or biographic information.
- Passwords shouldn’t contain any recognisable words, in place of random alphanumeric characters.
- Special characters should be used to increase password complexity.
- All passwords should have a minimum length (ideally 12 characters).
Organisations should also consider the use of authentication protocols such as Single Sign-On (SSO) to improve password security, but such measures should only be considered alongside the organisations unique technical and operational requirements.
Relevant ISO 27002 Controls
- ISO 27002 6.2
- ISO 27002 8.24
ISO 27701 Clause 6.6.4.4 – Use of Privileged Utility Programs
References ISO 27002 Control 8.18
To protect PII and privacy-related assets – and simultaneously improve network integrity – organisations should:
- Restrict the use of utility programs to maintenance staff and/or contractors tasked with administering the organisation’s network.
- Ensure that the use of any single utility program is authorised by management, including maintaining a list of personnel who need to use utility programs as part of their assigned responsibilities.
- Prevent the use of utility programs on areas of the network that features segregated duties.
- Periodically review the use of utility programs, removing or adding any as the organisation sees fit.
- Partition off utility programs as distinct from standard applications.
- Log the use of utility programs, including retained information on timestamps and authorised users.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.6.4.5 – Access Control to Program Source Code
References ISO 27002 Control 8.4
Access to source code and development tool should be tightly controlled, so that privacy-related applications are not compromised, and PII is not exposed to public viewing, or any form of unauthorised access.
Source code and ‘associated items’ includes:
- Designs.
- Specifications.
- Verification plans.
- Validation plans.
Development tools include:
- Compilers.
- Builders.
- Integration tools.
- Test platforms.
- Environments.
ISO recommends that organisations store and manage source code via a dedicated ‘source code management system’ that protects IP, code and development tools and manages access to restricted material. Source code should be managed with varying degrees of read and write access, based on an individual’s job role.
To prevent corruption and safeguard the PIMS, PII and privacy-related information and assets, organisations should:
- Closely manage access to source code and any associated libraries.
- Limit the provision of source code access on a ‘need to know’ and ‘need to use’ basis.
- Observe organisation-wide change management procedures, when updating/changing source code, or making any amendments access privileges (see ISO 27002 8.32).
- Prohibit the direct access of source code by developers, and instead provision access through specialised developer tools.
- Securely store program listings, with relevant levels of read and write access.
Relevant ISO 27002 Controls
- See ISO 27002 8.32
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.6.4.1 | 8.3 |
8.3 – Information Access Restriction for ISO 27002 |
None |
| 6.6.4.2 | 8.5 |
8.5 – Secure Authentication for ISO 27002 |
Article (5) |
| 6.6.4.3 | 5.17 |
5.17 – Authentication Information for ISO 27002 |
None |
| 6.6.4.4 | 8.18 |
8.18 – Use of Privileged Utility Programs for ISO 27002 |
None |
| 6.6.4.5 | 8.4 |
8.4 – Access to Source Code for ISO 27002 |
None |
How ISMS.online Helps
ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA.
Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.
Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard. And because it’s regulation agnostic, you can map it onto any regulation you need to.
Find out more by booking a hands on demo.
