A.9 Access control

A.9 Access control

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-23

1.1

Edward Robinson

Additions to align more with anDREa’s working method and annex text.

Renamed to A.9 Access control from B11 User access management.

2022-12-23

2.0Edward RobinsonAdditions/changes as part of the annual review.

Removed the link to the Log On policy because it didn't add much.
2023-06-01
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated broken link for Asset Overview.

Updated Research Support responsibilities under 9.1.1.

Updated all ST and AAD terms to RST and Entra ID, respectively.

Added the use of Google Workspace accounts for business processes.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the access control policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To limit access to information and information processing facilities (A.9.1).

  • To ensure authorised user access and to prevent unauthorised access to systems and services (A.9.2).

  • To make users accountable for safeguarding their authentication information (A.9.3).

  • To prevent unauthorised access to systems and applications (A.9.4).


Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.9.1 Business requirements of access control

A.9.1.1 Access control policy & A.9.1.2 Access to networks and network services


“An access control policy shall be established, documented and reviewed based on business and information security requirements.”

“Users shall only be provided with access to the network and network services that they have been specifically authorised to use.”



Principles:

  • When granting access to information, the ‘least-privileged’ principle applies. This means that access is only granted if an employee needs it to perform his/her job. As few rights as possible are granted and those rights will be granted for as short a period of time as possible.

  • If possible, Role Based Access Control (RBAC) will be applied.


Registration:


  • anDREa has a complete overview of all assets of the infrastructure to which access must be granted to employees. This is registered in anDREa People - Asset Overview.

  • anDREa has designated a Responsible for each asset. The Asset Responsible is responsible for adequate maintenance and management. This is registered in anDREa People - Asset Overview.

  • For each asset there is an overview of the different types of permissions (roles) that can be assigned to users. This is registered in anDREa People - Asset Overview.


Responsibilities:


  • For access to anDREa assets:

    • Access is issued by the Asset Responsible based on the least-privileged principle. A list of applications and assets that anDREa has in use is registered in anDREa People - Asset Overview.


  • For support on the myDRE environment:

    • The support team of anDREa creates guest user accounts in the Microsoft Entra ID for mandated Research support team (RST) members of the customers. RST member responsibilities can be found here: (Core) Support Team profile

    • RST members are required to sign and understand the RST-agreement and complete the RST-training and quiz to demonstrate the relevant knowledge. The Security Officer ensures that these components are completed before requesting access to the Entra ID. anDREa is responsible for training the RST members before access to the Entra ID and administrator access to Zohodesk is granted. anDREa B.V. is not involved in the creation of Workspaces, submitting user account requests and inviting users to Workspaces.

    • The RST member(s) of the customers are assigned a Privileged Identity Management (PIM) role for a specific part of the Entra ID where they can edit myDRE accounts, delete myDRE accounts and reset passwords. PIM activations are reviewed monthly and discussed during ISMB meetings.


A.9.2 User access management

A.9.2.1 User access registration and de-registration & A.9.2.2 User access provisioning


“A formal user registration and de-registration process shall be implemented to enable assignment of access rights.”

“A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.”



anDREa employees and contractors & Tenant Research Support Team (RST) members:
  • New anDREa employees and contractors, and Tenant-appointed Research Support Team members are onboarded and offboarded via anDREa’s ticketing system in the ‘On- and offboarding’ department. These tickets start an automatic workflow that assigns tasks to Asset Responsibles to follow up. 

    • Tasks include but are not limited to granting and revoking access to assets and accounts.

myDRE end users:

  • Access to myDRE workspaces is provided by the Workspace Accountable. This is usually a Principal Investigator, department head or project leader. Assigning an Workspace Accountable upon Workspace creation is the responsibility of the relevant ST member. 

    • Users can request workspace creation and the assignment of an Accountable via support.mydre.org, followed by the selection of their organisation and filling in the appropriate ticket form. 

  • The Workspace Accountable and other invited Workspace users are automatically assigned RBAC to the resources related to their own Workspace. 

  • anDREa does not provide access to Workspaces unless specifically requested by an authorised person.


A.9.2.3 Management of privileged access rights


“The allocation and use of privileged access rights shall be restricted and controlled.”


anDREa employees and contractors & Tenant Support Team (ST) members:
  • Access is issued by the Asset Responsible (administrator of the specific asset) based on the least-privileged principle. A list of environments that anDREa uses is registered in anDREa People - Asset Overview. This overview also shows the permissions of the particular person.

  • Users with privileged access rights in the anDREa Entra ID are trained before gaining the privileged access rights. The completion of the training is recorded in the associated Zoho tickets.

    • The Research Support team of anDREa creates guest user accounts in the Entra ID for mandated Research Support team (RST) members of the customers. ST member responsibilities can be found here: (Core) Support Team profile

    • RST members are required to sign and understand the ST-agreement and complete the ST-training and quiz. anDREa B.V. is responsible for training the ST members before access to the Entra ID and anDREa’s ticketing system is granted. anDREa B.V. is not involved in the creation of workspaces, user account submissions and inviting users to Workspaces.

    • Working in the Entra ID requires the activation of the appropriate role assignment in Azure Privileged Identity Management (PIM)

      • PIM activations are reviewed monthly and discussed in the monthly Information Security Management Board (ISMB) meetings when deviations are observed.

myDRE end users:

  • myDRE users only have access to the workspaces of which they are a member.

  • Workspace access and the use of the associated resources are controlled via RBAC.


A.9.2.4 Management of secret authentication information of users


“The allocation of secret authentication information shall be controlled through a formal management process.”


Following onboarding as described in A.9.2.3, the allocation of secret authentication is carried out via Microsoft Azure. All accounts require multi-factor authentication (MFA). anDREa employees and myDRE users set up their MFA for their myDRE account via an activation link. It is mandatory for all users to use the Microsoft Authenticator application with location, requesting application and number matching enabled for all interaction with Microsoft products and services. For all non-Microsoft applications and services that do not have a low risk, MFA is required but could be an MFA application other than Microsoft Authenticator. Examples, our financial applications and anDREa's Google Suite Business accounts. In all other cases MFA is highly recommended.

A.9.2.5 Review of user access rights & A.9.2.6 Removal or adjustment of access rights


“Asset Responsibles shall review users’ access rights at regular intervals.”

“The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.”



Asset Responsibles will review access to assets registered in anDREa People - Asset Overview at least biannually. Events such as termination of employment, contract or agreement will trigger review access. Associated tickets will be created per asset with due dates for access review. At the least, performance of the access review task has to be documented in the relevant ticket. The task is performed by the Asset Responsible and has to be communicated to the Security Officer upon completion. If possible, screenshots of access rights are attached to the relevant ticket. It is the responsibility of the Security Officer to ensure that all the access reviews have been performed in a timely manner by the Asset Responsibles.

In case of offboarding and associated revoking of permissions, an offboarding workflow is initiated via a Zoho ticket in the ‘On- and offboarding’ department, which assigns tasks to the appropriate Asset Responsible.


A.9.3 User responsibilities

A.9.3.1 Use of secret authentication information


“Users shall be required to follow the organisation’s practices in the use of secret authentication information.”


The use of secret authentication is described in A.9.2.4. Users of myDRE are not able to reset MFA themselves. A ticket to request an MFA reset can be submitted to the local RST member via the ticket system.  MFA resets of users require PIM role activation. MFA reset of privileged members such as RSTs can only be reset with a special PIM role.

A.9.4 System and application access control

A.9.4.1 Information access restriction


“Access to information and application system functions shall be restricted in accordance with the access control policy.”


This control follows the principles and measures of A.9.1.1.

A.9.4.2 Secure log-on procedures & A.9.4.3 Password management system


“Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.”

“Password management systems shall be interactive and shall ensure quality passwords.”



Employees of anDREa are issued an @mydre.org account (with relevant Microsoft 365 licences) for myDRE platform-related processes and have to set up their own password that is compliant with the Password policy. MFA is enforced for all accounts. Access to assets is role-based and access will be granted by the relevant Asset Responsible. It is advised to make use of a password manager, either a free version or a licensed version issued by anDREa.

For business processes, anDREa employees are issued a Google Workspace account which is used for email and Google Drive storage. MFA is enforced for all accounts.

Users of the myDRE platform are only issued an @mydre.org username (without Microsoft 365 licences) and a temporary password. Upon the first login, the password has to be changed to a password that is compliant with the Password policy. Users are allowed to change their password if they know their current password. Users are not allowed to perform a password reset. Password resets need to be requested via a ticket on support.mydre.org. The newly generated password will be communicated to the user separate from the username and application URL. User password resets require PIM role activation by RSTs or anDREa Support Team.


A.9.4.4 Use of privileged utility programs


“The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.”


anDREa has created and maintains a list of privileged utility programs for the categories workstations, myDRE as SaaS and Virtual Machines. The use of privileged utility programs for myDRE as SaaS and Virtual Machines is restricted based on RBAC.

A.9.4.5 Access control to program source code


“Access to program source code shall be restricted.”


The source code of myDRE is located in private Github repositories. Access to Github is restricted by a RBAC group in anDREa’s Entra ID. Access to this group is only granted to anDREa developers, testers and the Security Officer. Access to Github is reviewed by the Asset Responsible at least biannually, or upon employment changes. A quarterly back-up of the source code is deposited at the ESCROW-service. Access is controlled by the ESCROW party and is the responsibility of anDREa shareholders and the ESCROW party.

Administrations


    • Related Articles

    • 20230606 - External control audit management summary

      anDREa B.V. is continuously evaluating and improving its Information Security Management System (ISMS). As such anDREa is ISO 27001:2017 certified as of September 1st 2022. Each year, an external control audit is conducted on selected topics, with ...
    • Does anDREa have access to the data in a Workspace?

      Created: 2021-10-24 Last update: 2023-01-23 myDRE is designed and regularly evaluated on the objective that and only that authorized people and services can have access to the data in a Workspace. "that and only that" implies that both authorized ...
    • Data - ownership, responsibility, and control

      Ownership of data can be a tricky question when it comes down to personal data or data of persons. For instance, it is not unlikely that it depends on what subsection of Article 6 was used. By design, myDRE is a pragmatic and solid answer to a, ...
    • License Server Access from anDREa

      Introduction This section details the network design that enables outbound access to license servers from VMs running in the anDREa research environment.   We will assist in setting up License Server Access, but will not provide or mediate in ...
    • Policy Exceptions

      anDREa's Access Control Policy applies. Some documents, records especially, might not be accessible. Authorized access will be issued based on invitation by anDREa. Access requests will be rejected by default. Record with all Policy Exceptions