+IAM-03 Risk-Based Procedure for Locking and Withdrawal of Identities
---+IAM-03.01B
---+IAM-03.02B
---+IAM-03.03B
---+IAM-03.04B
---+IAM-03.01AC
---+IAM-03.02AC
---+IAM-03.03AC
---+IAM-03.03AS
|
1. Übersicht
IAM-03 Risk-Based Procedure for Locking and Withdrawal of Identities
-
| Bezeichnung |
Standard |
|
IAM-03.01B
|
The cloud service provider has a risk-based procedure in place for managing identities (cf. IAM-01), taking into account the types of data accessible via the identities of the internal and external personnel.
This criterion applies to identities that refer to single, multiple or non-human entities.
|
|
IAM-03.02B
|
As part of this procedure, specific parameters for automatically locking and withdrawing access due to inactivity or indications of brute force attacks are defined, with exceptions for the identities whose use is restriced to emergency recovery and similar scenarios.
This criterion applies to identities that refer to single, multiple or non-human entities.
Locking can result from a longer absence of the personnel, for example, due to illness, parental leave, or sabbatical. Multiple failed login attempts can be indications of brute force attacks.
|
|
IAM-03.03B
|
The cloud service provider documents and implements a process for monitoring stolen and compromised credentials, which also includes disabling any identity for which an issue is identified. This process is implemented on all identities under the responsibility of the cloud service provider that have privileged access rights.
This criterion applies to identities that refer to single, multiple or non-human entities.
This process can be performed automatically, or manually by authorised personnel.
|
|
IAM-03.04B
|
The aforementioned process includes an exception mechanism to be applied if all identities needed to manage the situation are potentially compromised.
This criterion applies to identities that refer to single, multiple or non-human entities.
This exception mechanism should be implemented as part of the business continuity and emergency management system (cf. BCM-01), as cases where all identities needed to manage the situation described in IAM-03.03B are potentially compromised constitute an emergency.
|
|
IAM-03.01AC
|
The context of authentication attempts is monitored and suspicious events are, as relevant, flagged to authorised persons.
This criterion applies to identities that refer to single, multiple or non-human entities.
The context of an authentication attempt can, but does not have to, include IP addresses, the date and time, or the device used.
|
|
IAM-03.02AC
|
The effectiveness of the procedures for locking and withdrawing identities is validated.
This criterion applies to identities that refer to single, multiple or non-human entities.
|
|
IAM-03.03AC
|
Timely and appropriate remediation measures address any deviations identified during validation.
This criterion applies to identities that refer to single, multiple or non-human entities.
|
|
IAM-03.03AS
|
The cloud service provider documents and implements a process for monitoring stolen and compromised credentials, which also includes disabling any identity for which an issue is identified. This process is implemented on all identities under the responsibility of the cloud service provider.
This criterion applies to identities that refer to single, multiple or non-human entities.
This process can be performed automatically, or manually by authorised personnel.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|