IDSO-012: Access to sensitive data is periodically attested

Description: Sensitive data can mean different things depending on the organization’s nature, its regulatory jurisdiction(s), and industry. The following are common sensitive data categories.

  • Personal Identifiable Information (PII)
  • Personal Health Information (PHI)
  • Export Controlled Data (ITAR/EAR)

In accordance with least privilege principles, data owners must ensure that only necessary access is granted for sensitive data they are responsible for. When a user leaves the organization or moves within the organization, permissions must be revoked to prevent unauthorized access and privilege creep.

Benefit: Actively reduce the risk of a data breach due to unauthorized access from external actors and insider threats.

Watch the deep dive webinar to learn more about this security outcome.

Implementation Approaches

Security Frameworks

NIST Cybersecurity Framework 1.1

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • PR.AC-3: Remote access is managed
  • PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
TitlePeriodic Entitlement Reviews are Conducted by Data Owners
Technology ComponentsData Access Governance (DAG)
DescriptionIn this approach, the organization assigns attestation responsibility over a given data set to the respective data owner. Examples of data owners can be CEO or CFO of a business that owns the respective data. The data owner must conduct an entitlement review periodically in order to attest that only the required users have access with appropriate permissions.
Pre-requisitesDAG is in place to assign responsibility to appropriate data owners
DAG is aware of permissions to folders/files and how they get assigned (eg. directly in content mgmt system or using groups in user repository/directories)
DAG identifies files containing sensitive data
Periodic review campaigns are generated for reviewers with possible remediation.
Supporting Member CompaniesFischer IdentityForgeRockOmadaSailPointSaviyntSecZettaThales
TitleUnused Permissions are Revoked After a Predefined Time Window
Technology ComponentsData Access Governance (DAG)
Access Management (AM)
DescriptionIn this approach, a user’s access to data (e.g. a folder containing sensitive data information) or online resources (e.g. SaaS applications) is automatically revoked if  the user does not access the data or online resource in any manner over a predefined time window. This should may be configured to allow for vacations and other leaves of absence.
Pre-requisitesDAG is in place to assign responsibility to appropriate data owners
DAG is aware of permissions to folders/files and also usage history of these permissions
DAG is configured with remediation workflow to revoke access after a predefined time window
Access could be controlled by modifying the underlying account/entitlement information or indirectly through integration with Access Management product that is being used to control access to the content.
Supporting Member CompaniesFischer IdentityForgeRockOmadaSailPointSaviyntThales


Let's work together to help everyone become more secure.