| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by TomOwens 696 days ago

I'm looking through what I have access to quickly.

I started with the CSA's Cloud Controls Matrix, just because they trace to a bunch of other standards. They have a control - IAM-07 - that is to "de-provision or respectively modify access of movers / leavers or system identify changes in a timely manner in order to effectively adopt and communicate identity and access management policies". This control points to other sources.

One standard that I have access to, CIS Critical Security Controls v8.1, calls for a process that disables or deletes accounts and revoking access "immediately upon termination, rights revocation, or role change of a user". I believe v8.1 is the latest version.

The Trust Services Criteria mapping is to CC5.3 and CC6.3. This defers to defined organizational policies and procedures and doesn't specify any timelines.

ISO/IEC 27001:2022 and ISO/IEC 27002:2022 mapping is A.5.15 and A.5.18. This is identified as a gap in earlier versions of these standards. I don't have ready access to these standards, so I can't tell you if they give any timelines.

The NIST 800-53 rev 5 mappings are to AC-2 (1, 2, 6, 8), AC-3 (8), AC-6 (7), AU-10 (4), AU-16 (1), and CM-7 (1). All of these appear to defer to organizationally-defined timing and frequency for review.

The NIST CSF v2.0 mapping is to GV.RR-04, GV.SC-10, PR.AA-01, and PR.AA-05. The most relevant ones are the PR.AA controls and they both defer to organizational policies for definitions.

As far as I can tell, most standards simply require that a company defines their policies and procedures and then certification or audit against that standard would only ensure that the documented policies are being followed. If you wanted to implement the "immediate", one way to do it would be to document that as your process (optionally by adopting the CIS Critical Security Controls, but you may or may not want to adopt the whole set) and then have it in a SOC 2 Type 2 audit where the auditor would sample people who have left the organization and when their access was revoked.