Logical access control

To reduce the opportunities for a malicious person to use accounts as part of an attack, user accounts must be defined according to security principles of need-to-know access, least privilege, and segregation of duties.

Need-to-know access principles are:

• Only operators (users and administrators) who have a continuing requirement to access the secure zone are allowed to have accounts within the secure zone.
• Privileges are only assigned to an operator with a validated need-to-know. Access to other system functions is disabled.

Least privilege principles are:

• User and administrator privileges are controlled in a way that allows all privileges to be tailored to individual needs.
• Accounts are granted only the privileges that are necessary. Additional privileges are only granted on a temporary basis.

Segregation of duties principles are:

• The dual authorization principle has to be activated. See also Transaction business controls.
• Sensitive duties are separated. This means that some roles cannot be represented by the same individual, for example:
  • application administrator and security officer
  • network administrator and operating system administrator
  • transaction submission and transaction approval
  • database administrator (who creates tables and procedures) and data user (who selects, inserts, updates or deletes data)

Accounts are reviewed at least annually and adjusted as required to force access security principles. Privileges are revoked promptly when an employee changes roles or leaves the organization.

Furthermore, an emergency procedure to access privileged accounts is documented for use when authorized persons are unavailable due to unexpected circumstances. In such a case, any operational use of the procedure is logged, the access of an emergency account is controlled, usage of the account is logged and the password is changed immediately after this emergency incident.