1. Übersicht

ORP.4 Identity and Access Management

1. Description
1.1. Introduction
Access to sensitive resources in an organisation must be restricted to authorised users and authorised IT components. Users and IT components must be identified and authenticated with certainty. The management of the information this requires is referred to as "identity management".
Access management, meanwhile, defines whether and how users or IT components may access and use information or services (i.e. whether they are granted or refused site, system, and data access based on their user profile). Access management includes the processes that are required to assign, withdraw, and control rights.
Since these two terms are closely connected, the term "identity and access management" (IAM) will be used from now on in this module. For better comprehensibility, the term "user ID" or "ID" is used synonymously with "user account", "login", and "account" in this module. The term "password" is used here as a general term for "passphrase", "PIN", or "passcode".
1.2. Objective
The objective of this module is to ensure that users and IT components can access only the IT resources and information that are required for their work and for which they are authorised, and that no access is granted to unauthorised users and IT components. To this end, it formulates requirements to be followed by organisations in establishing secure identity and access management.
1.3. Scoping and Modelling
Module ORP.4 Identity and Access Management must be applied once to the entire information domain under consideration.
This module describes fundamental requirements for implementing identity and access management.
Requirements that relate to components of identity and access management such as operating systems or directory services can be found in the corresponding modules (e.g. SYS.1.3 Unix Server, SYS.1.2.2 Windows Server 2012, APP.2.1 General Directory Service, APP.2.2 Active Directory).
4. Additional Information
4.1. Useful Resources
The International Organization for Standardization (ISO) provides guidelines for identity and access management in annex A.9 ("Access Control") of ISO/IEC 27001:2013, “Information Technology – Security Techniques – Information Security Management Systems – Requirements”.
The International Organization for Standardization (ISO) provides specifications for identity and access management in the standard ISO/IEC 29146:2016, “Information Technology – Security Techniques – A Framework for Access Management”.
The Information Security Forum (ISF) provides specifications on identity and access management in chapter TS1.4 (“Identity and Access Management”) of “The Standard of Good Practice for Information Security”.
The National Institute of Standards and Technology (NIST) provides guidance on identity and access management in NIST Special Publication 800-53A, specifically in areas AC and IA.

Bezeichnung	Standard
ORP.4.A1 Regulation for Creating and Deleting Users and User Groups [IT Operation Department] (B)	Rules MUST be created to define how user IDs and user groups are to be established and deleted. It MUST be possible to associate every user ID with a unique user. User IDs that are inactive for longer periods SHOULD be disabled. All users and user groups MUST ONLY be created and deleted via separate administrative roles. User IDs that are not required, such as guest accounts set up by default or default administrator IDs, MUST be appropriately disabled or deleted.
ORP.4.A2 Creating, Changing, and Revoking Authorisations [IT Operation Department] (B)	User IDs and authorisations MUST ONLY be granted on the basis of actual need in connection with specific tasks (in line with the least-privilege and need-to-know principles). If there are personnel changes, the user IDs and authorisations that are no longer required MUST be removed. If employees apply for authorisations that are beyond the respective standard, they MUST ONLY be assigned after additional justification and verification are provided. Access permissions to system directories and files SHOULD be restricted. All authorisations MUST be established via separate administrative roles.
ORP.4.A3 Documentation of User IDs and Rights Profiles [IT Operation Department] (B)	The user IDs, user groups, and rights profiles that have been approved and created MUST be documented. The documentation of authorised users, user groups, and rights profiles MUST be examined regularly to see if it reflects the rights actually assigned to the users and profiles, and if the rights granted still meet the security requirements and are appropriate for the current tasks of the corresponding users. The documentation MUST be protected against unauthorised access. If the documentation is made available in electronic form, it SHOULD be integrated into a backup procedure.
ORP.4.A4 Distribution of Tasks and Separation of Roles [IT Operation Department] (B)	The tasks and functions defined as incompatible by an organisation (see module ORP.1 Organisation) MUST be separated by its identity and access management system.
ORP.4.A5 Assignment of Site Access Rights [IT Operation Department] (B)	The site access rights that are to be granted to or withdrawn from certain people in certain roles MUST be defined. The issue and withdrawal of means of access such as chip cards MUST be documented. If site access resources have been compromised, they MUST be replaced. Persons with site access rights SHOULD be trained in the proper use of site access resources. Authorised persons SHOULD be blocked temporarily if they are to be absent for a longer period of time.
ORP.4.A6 Assignment of System Access Rights [IT Operation Department] (B)	The system access rights that are to be granted to and/or withdrawn from certain people in certain roles MUST be defined. If system access resources like chip cards are used, their issue and withdrawal MUST be documented. If system access resources have been compromised, they MUST be replaced. Persons with system access rights SHOULD be trained in the proper use of system access resources. Authorised persons SHOULD be blocked temporarily if they are to be absent for a longer period of time.
ORP.4.A7 Assignment of Data Access Rights [IT Operation Department] (B)	The data access rights that are to be granted to or withdrawn from certain people in certain roles MUST be defined. If data access resources like chip cards or tokens are used, their issue and withdrawal MUST be documented. Users SHOULD be trained in the proper use of chip cards or tokens. Authorised persons SHOULD be blocked temporarily if they are to be absent for a longer period of time.
ORP.4.A8 Provisions Governing the Use of Passwords [User, IT Operation Department] (B)	Organisations MUST regulate the use of passwords in a binding manner (see also ORP.4.A22 Regulating Password Quality and ORP.4.A23 Regulating Password-Processing Applications and IT Systems). In doing so, they MUST consider whether passwords are to be used as the sole authentication method, or whether other authentication features or methods may be used in addition to or instead of passwords. Passwords MUST NOT be used for multiple purposes. A separate password MUST be used for each IT system or application. Passwords that are easy to guess or are kept in common password lists MUST NOT be used. Passwords MUST be kept secret. They MUST ONLY be known by the respective users. When entering their passwords, users MUST ensure that no one else is watching. Passwords MUST NOT be stored on programmable function keys on keyboards or mice. Passwords MUST ONLY be written down in case of an emergency. They MUST then be stored securely. The use of a password manager SHOULD be considered. If password managers have features or plug-ins that synchronise passwords via third-party online services or otherwise transmit passwords to third parties, these features or plug-ins MUST be disabled. Passwords MUST be changed if it is suspected or discovered that they have become known to unauthorised persons.
ORP.4.A9 Identification and Authentication [IT Operation Department] (B)	Access to all IT systems and services MUST be protected by appropriate identification and authentication of users, services, and IT systems. Pre-configured authentication resources MUST be changed before being put into production use.
ORP.4.A24 Dual Control for Administrative Activities [IT Operation Department] (H)	Administrative activities SHOULD require the involvement of two persons. If multi-factor authentication is required, the factors SHOULD be distributed between the two persons. Passwords SHOULD be split into two parts and issued to each of the two persons.
ORP.4.A23 Regulating Password-Processing Applications and IT Systems [IT Operation Department] (B)	IT systems or applications SHOULD ONLY prompt users to change their password with a valid reason. Changes based on the passage of time alone SHOULD be avoided. Safeguards MUST be taken to detect compromised passwords. If this is not possible, consideration SHOULD be given to whether passwords can be changed at certain intervals in spite of the related disadvantages. Default passwords MUST be replaced by sufficiently strong passwords, and pre-defined IDs MUST be changed. It SHOULD be ensured that IT systems fully check the possible password length. When a password is changed, the old password MUST NOT be used again. Passwords MUST be stored as securely as possible. In cases involving IDs for technical users, service accounts, interfaces, or similar elements, a password change SHOULD be carefully planned and, if necessary, coordinated with the persons in charge of the application in question. When providing authentication in networked systems, passwords MUST NOT be transmitted unencrypted over insecure networks. When passwords are transmitted on an intranet, they SHOULD be encrypted. In case of unsuccessful login attempts, the system in question SHOULD not indicate that the password or user ID is wrong.
ORP.4.A10 Protection of User IDs with Wide-Ranging Authorisations [IT Operation Department] (S)	User IDs with broad privileges SHOULD be protected with multi-factor authentication (e.g. cryptographic certificates, chip cards or tokens).
ORP.4.A11 Resetting Passwords [IT Operation Department] (S)	An appropriate and secure procedure SHOULD be defined and implemented for resetting passwords. The support staff members that are able to reset passwords SHOULD be trained accordingly. In case of higher password protection needs, a strategy SHOULD be defined for cases in which a support staff member cannot accept responsibility for providing a password due to the lack of secure options available.
ORP.4.A12 Developing an Authentication Concept for IT Systems and Applications [IT Operation Department] (S)	An authentication concept SHOULD be drawn up that includes a definition of the functional and security requirements of authentication for each IT system and application at hand. Authentication information MUST be stored in a cryptographically secure manner. Authentication information MUST NOT be transmitted unencrypted over insecure networks.
ORP.4.A13 Selection of Suitable Authentication Mechanisms [IT Operation Department] (S)	Identification and authentication mechanisms that meet the protection needs at hand SHOULD be used. Authentication data SHOULD be protected by IT systems and/or applications against espionage, modification, and destruction during processing. IT systems and applications SHOULD increasingly delay further authentication attempts after each unsuccessful attempt. It should be possible to limit the total duration of a login attempt. After the specified number of unsuccessful authentication attempts is exceeded, IT systems and applications SHOULD block the user ID in question.
ORP.4.A14 Checking the Effectiveness of User Separation in IT Systems or Applications [IT Operation Department] (S)	Checks SHOULD be performed at appropriate intervals to ensure that users of IT systems or applications log off regularly after completing their tasks. It SHOULD also be checked that several users are not working under the same ID.
ORP.4.A15 Approach and Design of Identity and Access Management Processes [IT Operation Department] (S)	The following processes SHOULD be defined and implemented for identity and access management: • policy management • identity profile management • user ID management • authorisation profile management • role management
ORP.4.A16 Policies for Data and System Access Control [IT Operation Department] (S)	A policy for data and system access control SHOULD be drawn up for IT systems, IT components, and data networks. Standard rights profiles that correspond to employees' roles and tasks SHOULD be used. A data access rule SHOULD be established in writing for every IT system and IT application.
ORP.4.A17 Suitable Selection of Identity and Access Management Systems [IT Operation Department] (S)	An organisation's identity and access management system SHOULD be appropriate for its relevant business processes, organisational structures, and workflows, as well as for its protection needs. The identity and access management system SHOULD be able to map the specifications of the organisation for handling identities and authorisations. The identity and access management system chosen SHOULD support the principle of role separation. The identity and access management system SHOULD be adequately protected against attacks.
ORP.4.A18 Using a Central Authentication Service [IT Operation Department] (S)	A central authentication service SHOULD be used to establish central identity and access management. The use of a central network-based authentication service SHOULD be planned carefully. To this end, the security requirements relevant in selecting a service of this kind SHOULD be documented.
ORP.4.A19 Instruction of All Employees in the Handling of Authentication Methods and Mechanisms [User, Head of IT] (S)	All employees SHOULD be instructed in how to properly handle the authentication methods used. There SHOULD be comprehensible policies for handling authentication procedures. Employees SHOULD be informed of the relevant rules in this regard.
ORP.4.A20 Contingency Planning for the Identity and Access Management System [IT Operation Department] (H)	The extent to which a failed identity and access management system is critical to the security of business processes SHOULD be determined. Provisions SHOULD be made to maintain operations in the event of a failed identity and access management system. In particular, the access control policy specified in the contingency concept at hand SHOULD still be applicable if the identity and access management system has failed.
ORP.4.A21 Multi-Factor Authentication [IT Operation Department] (H)	Secure multi-factor authentication (e.g. using cryptographic certificates, chip cards, or tokens) SHOULD be used for authentication.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Linked Issues

Issuelinks
Linktyp	Issue
includes	ORP.4.G1. Insufficient Processes in Identity and Access Management
includes	ORP.4.G2. No Central Means of Disabling User Access Authorisations
includes	ORP.4.G3. Incorrect Administration of Site, System, and Data Access Rights

ITGC -
Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022