Click on the tag to access description and wallix recommendations.
(i) human resources security, access control policies
and asset management
Preambles 49, 85, 33, 53
Asset management
ISO 27001 - Annex A - Section: A 8.2.1 / 5.12
Classification of information
Wallix recommendation
PASM/PEDM: Limitations to access machines and data through Privileged Access Security Management (PASM) and Privilege Elevation and Delegation Management (PEDM):
PASM controls and monitors who accesses sensitive data or critical systems during sessions, preventing unauthorized exposure of confidential information. By managing and securing privileged access, PASM helps safeguard sensitive data from unauthorized access or exposure.
Identity-as-a-Service (IDaaS): By enforcing strict access controls and authentication mechanisms, IDaaS mitigates the risk of unauthorized data access or leakage.
PEDM directly contributes to information classification by controlling and monitoring privilege escalation. It ensures that only authorized personnel with appropriate permissions can access sensitive data. By enforcing least privilege principles and managing delegation effectively, PEDM limits access to confidential information, reducing the risk of data breaches.
Identity and Access Governance (IAG): IAG provides the ability to analyze existing access to data and information sources. Based on this knowledge, an organization can match these analytics to the needs of user roles and build a classification matrix for the organization
Access Control Policies
More details ?
(h) policies and procedures regarding
the use of cryptography and,
where appropriate, encryption
Preamble 98
Cryptography and encryption technologies
ISO 27001 - Annex A - Section: A 10.1.1 / 8.24
Policy on the use of cryptographic controls
Wallix recommendation
Every connection to target systems is secured by cryptographic keys.
PASM solution integrate with encryption of protocols to ensure secure transmission of data during privileged sessions.
Key management
More details ?
(d) supply chain security, including security-related
aspects concerning the relationships between each
entity and its direct suppliers or service providers
Preamble 85
Supply chain security
ISO 27001 - Annex A - Section: A 15.1.1 / 5.19
Information security policy for supplier relationships
Wallix recommendation
Privilege Session Management tools contribute to protecting audit information, crucial for maintaining system integrity and compliance, through several key mechanisms.
Using Multi-Factor Authentication ensures that the suppliers identity is proven and correct.
With Identity and Access Governance (IAG) as part of the Plan-Do-Check-Act (PDCA) cycle, the organization can develop strong access control management similar to that for internal user roles. This approach allows the organization to combine the management of suppliers (users and roles) with internal processes for information classification, access control policies, and established tiering models.
Addressing security within supplier agreements Monitoring and review of supplier services Managing changes to supplier servicesSection
More details ?
(b) incident handling
Preamble 49
Incident handling and reporting
ISO 27001 - Annex A - Section: A 16.1.1 / 5.24
Responsibilities and procedures
Wallix recommendation
Role concept in Privileged Access Security Management (PAM) – Auditor / Approver / Admin / User Role – Access to targets based on Authorizations (Who can access which targets with which protocols under what circumstances, including Approval Workflows).
The PASM system is a strictly role/profile-driven Access Management System. Preconfigured profiles include general administrators, system administrators, organization administrators, auditors, approvers, and users. Additionally, it is possible to create more granular profiles that meet the specific needs of the organization.
At the user level, the PASM system can restrict access to authorized targets for a designated user group with specifically configured privileged accounts. For example, this allows only a special user group to access a predefined group of industrial targets, such as PLCs from a specific vendor.