AllWhy ISO/IEC 27001 Compliance is Impossible without Privileged Management
Why ISO/IEC 27001 Compliance is Impossible without Privileged Management
provide a separate database of
activity records that you can use
to substantiate security policy
violations, for example, to support
personnel sanctions.
One Identity
PAM solutions
substantially
automate
privileged account
management
to help ensure
compliance
with ISO 27001
control objectives
and industry
best practices.
One Identity PAM solutions
enable organizations to automate
a substantial number of ISO
27001 Annex A’s reference
controls. For example, minimal
effort is required for you to
ensure that each system user
is uniquely identified; the
abuse of system accounts is
actively being prevented; strong
password management settings
are enforced; all privileged use
activity is being tracked, recorded
and logged; audit trails are
secured; and explicit approval
by authorized parties is required.
Having these foundational IT
security measures operating in
both development and production
environments complements
standard user activity monitoring,
3
malware and intrusion detection
controls — providing the
necessary layers for the defense
in depth approach to information
security needed in today’s
information risk climate.
The One Identity privileged
management solutions discussed
in this paper are:
•
One Identity Safeguard for
Privileged Passwords
•
One Identity Safeguard for
Privileged Sessions
•
Privilege Manager for Sudo
One Identity Safeguard for
Privileged Passwords
Safeguard for Privileged
Passwords automates, controls
and secures the entire process
of granting administrators
the credentials necessary to
perform their duties. It ensures
that privileged access is granted
according to established policies
with appropriate approvals; that
all actions are fully audited and
tracked; and that passwords
are changed immediately upon
their return.
Safeguard for Privileged
Passwords also eliminates the
security exposure posed by
embedded privileged passwords
required for applications to talk
to each other or to database
by replacing these hard-coded
passwords with programmatic
calls that dynamically retrieve the
account credential. Safeguard for
Privileged Passwords is deployed
on a secure, hardened appliance.
One Identity Safeguard for
Privileged Sessions
Safeguard for Privileged Sessions
enables authorized trusted
workforce members
to issue privileged access for
a specific period or session to
administrators, remote vendors
and high-risk users — with full
recording and replay for auditing
and compliance. It provides a
single point of control from which
trusted workforce members
can authorize connections, limit
access to specific resources, allow
only certain commands to be run,
view active connections, record
all activity, alert if connections
exceed pre-set time limits, and
terminate connections.
This solution is also deployed on
a secure, hardened appliance and
when combined with Safeguard
for Privileged Passwords, it can
completely hide the account
password from the privileged user.
One Identity Privilege
Manager for Sudo
Privilege Manager for Sudo
enhances sudo with a central
policy server that enables
centralized management of sudo
and the sudoers policy file, as
well as centralized reporting
on sudoers access rights and
activities. It also performs
keystroke logging, complete
with search and playback
capabilities, for in-depth auditing
and compliance requirements.
Privilege Manager for Sudo is part
of One Identity Privileged Access
Suite for Unix.
Meeting ISO 27001
requirements with
PAM solutions
This chart on the following pages
provides a detailed mapping of
ISO/ IEC 27001:2013 controls to
the capabilities of One Identity
privileged account management
solutions. You can use this
mapping to proactively identify
and address gaps in your ISO
compliance with One Identity
PAM solutions.
ISO/IEC 27001:2013 controls from Annex A
No.
Control name
How One Identity PAM solutions help
Safeguard for Privileged Passwords, Safeguard for
Privileged Sessions and Privilege Manager for Sudo
support the enterprise-wide access control and privileged
access management requirements that are part of every
information security policy. In particular, these tools help
ensure that authorization and separation of duty (SoD)
requirements are defined and enforced across all platforms in
your network.
A.5.1.1
Policies for information security
A.6.1.1
Information security roles
and responsibilities
A.6.1.2
Segregation of duties
A.6.1.3
Contact with authorities
Safeguard for Privileged Sessions and Safeguard for
Privileged Passwords store recorded sessions and logs
in a secure, encrypted vault and Privilege Manager for
Sudo securely records keystrokes. These features provide
organizations with a legally defensible repository of privileged
activities from which they can retrieve court-admissible
evidence using proper chain of custody controls.
A.6.1.5
Information security in
project management
With One Identity PAM solutions, organizations can address
questions that come from an information security risk
assessment conducted at an early stage of a project by
providing controls for granting and using privileged access. For
example, Safeguard for Privileged Passwords can be used
when a project begins to define required security roles, and
Safeguard for Privileged Sessions can be used to carefully
control and track the actions of privileged sessions for all
project users, including remote users and contractors.
A.6.2.2
Teleworking (remote access)
Organizations allowing remote access need a policy that
restricts remote access privileges. Safeguard for Privileged
Passwords can restrict unauthorized remote IP addresses for
API and CLI sessions. Safeguard for Privileged Passwords,
Safeguard for Privileged Sessions and Privilege Manager
for Sudo automatically generate randomized passwords to
reduce the risk of pass-the-hash, credential harvesting and
other exploits that are often associated with remote access.
And Safeguard for Privileged Sessions also protects
against viruses, malware and other dangerous items that
may exist on a remote user’s system because it proxies
all sessions to target resources. In addition, it records all
actions users perform.
A.7.2.1
Management responsibilities
Deploying Safeguard for Privileged Passwords and
Safeguard for Privileged Sessions provides an excellent
way for management to demonstrate its support of the
organization’s information security policies, procedures
and controls.
A.7.3.1
Termination or change of
employment responsibilities
Safeguard for Privileged Passwords, Safeguard for
Privileged Sessions and Privilege Manager for Sudo can
quickly terminate access privileges to sensitive information and
reduce or remove access to system accounts — even if a user
has multiple identities from holding different roles over many
years with the organization.
4
Please complete the form to gain access to this content
