Did you read the rules before you broke them?

An overview of some of the rules and regulation regarding access management and least privilege

Claude Mandy

Published in

Twenty 20 hindsight

6 min readSep 4, 2019

Opinions expressed are solely my own and do not express the views or opinions of my employer

If you work in the security industry, then you’ll undoubtably realise the importance of regulatory compliance. Regardless of whether you’re a vendor or enterprise, there are a variety of laws and regulations that you may be required to comply with. In addition, there may be a number of security related compliance certifications that you’re aiming to proactively achieve as a business to both protect you as a business, meet customer demands and differentiate your business from others. Non-compliance can unfortunately result in fines, penalties, enforced remediation costs and also lost revenue from unhappy customers.

As a result, it is incredibly important to understand the requirements in some detail to ensure you both meet the intent of the regulation as well as the detail. This post isn’t intended to be a comprehensive listing of all cyber security related regulations, laws and certification requirements, but is intended to help point you to the key requirements related to access management and least privilege.

Hopefully this helps highlight some regulations where you might need to dig deeper into understanding areas that may be relevant to your organisation.

Gramm-Leach-Bliley Act (GBLA)

The Gramm-Leach-Bliley Financial Modernization Act enacted in 1999 mandates all financial institutions in the United States to safeguard customer data from internal & external threats. The key requirements require financial institutions to protect and maintain confidentiality information of customers (“Financial Privacy Rule”), and implement security programs to protect against any threats to customer information (“Safeguards rule”).

This includes requirements for limiting access to customer information to employees who have a business reason to see it and identifying where sensitive customer information is stored and store it securely. In addition, they are required to make sure only authorized employees have access.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act is a US federal law that lays out a number of requirement for primarily U.S. public company boards, management and public accounting firms. Section 404 of the Act specifically mandates that adequate internal controls are in place, tested and documented for preparing financial reports and for protecting the integrity of the financial information going into these reports.

Although not specifically called out in the legislation, it is widely acccepted that one of the most common controls to protect information are robust identity management controls and implementation of least privilege.

Monetary Authority of Singapore (MAS) Technology Risk Management (T.R.M.) Guidelines

The Monetary Authority of Singapore (MAS) is the primary financial institution regulator in Singapore. MAS’s Technology Risk Management (TRM) Guidelines are intended help financial firms establish sound technology risk management, strengthen system security, and safeguard sensitive data and transactions. The TRM contains statements of industry best practices that financial institutions conducting business in Singapore are expected to adopt. The MAS makes clear that, while the TRM requirements are not legally binding, they will be a benchmark the MAS uses in assessing the risk of financial institutions (FI).

The TRM includes very specific requirements to ensure confidential information is encrypted in storage and protected through strong access controls through least privilege. In addition, TRM recommends only granting access, including privileged access on a need to use basis and within the period when access is required. There are a number of other very specific requirements outlined specific to privileged access.

New York Department of Financial Services (NYDFS) Cyber Security regulation

The New York Department of Financial Services Cyber Security regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities”. This regulation requires any identity licensed by the NYDFS to conduct a risk assessment and then implement a program with security controls for detecting and responding to cyber events.

Within the NYDFS Cyber Security Regulation, there are specific requirements for an entity to maintain an audit trail, limit both access privileges to PII and limit data retention and dispose of PII when no longer necessary

General Data Protection Regulation (GDPR)

GDPR is the European Union (EU) privacy directive aimed at consolidating data protection regulations across EU member states. It is associated with potentially heavy fines and penalties for compliance breaches. Any organisation that is established in the EU, or that targets data subjects based in the EU are subject to GDPR, regardless of whether the processing of personal data takes place in the EU.

One of the key requirements of GDPR is in relation to Data access governance and essentially requires access to data to be controlled by “least privilege” so that access to only the minimum resources is permitted and access to sensitive data is highly restricted.

Additional requirements that are especially worth understanding in respect to least privilege is in areas of consent management, individuals’ right to have their data erased and notifying people in the event of unauthorised access to personal information.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is the industry-accepted security standard for companies that accept credit card payments. There are a number of requirements applicable to companies related securing credit, debit and cash card transactions and protecting cardholders against misuse of their personal information.

The specific requirements that focus on access management and least privilege requirements are outlined in PCI DSS Requirement 7 and 8 respectively and can be find in detail here.

The primary requirements require organisations to restrict access to cardholder data by business need to know and identify and authenticate access to system components. The requirements outlined also include restricting access to least privileges necessary to perform job responsibilities, ensuring that each user has a unique ID; controls for adding, modifying and deleting access, automatically revoking access to terminated users and removing or disabling inactive user accounts within a set timeframe.

North-American Electric Reliability Corporation (NERC)

The NERC Critical Infrastructure Protection (CIP) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric systems. CIP Standards 002–009 specifically outline core technical requirements for cyber security, including accountability throughout the authentication, access control, delegation, separation of duties, continuous monitoring and reporting of electronic access to critical infrastructure. NERC CIP 005, 004, 007 and 008 also requires all electronic access be audited, monitored and archived so that an organization can reproduce detailed privileged user sessions 24 hours per day, 7 days per week.

HIPAA (Health Insurance Portability and Accountability Act)

The Health Insurance Portability and Accountability Act stipulates a number of national standards designed to protect the privacy of personal health information or PHI. There are two primary aspects to the regulation that are relevant for understanding, namely the privacy rule and security rule. The Privacy Rule explains how and when healthcare professionals, lawyers, or anyone who accesses your PHI can or cannot use that data — essentially creating a defined set of least privileges to be enforced over health care data. The Security complements this by defining the minimum standards required for to manage electronic PHI (ePHI). The HIPAA Security Rule says — “The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”