Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Tracking access control page #931

Merged
merged 1 commit into from
Jul 30, 2024
Merged

Update Tracking access control page #931

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions source/standards/secrets-acl.html.md.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,25 @@
---
title: Tracking Access Control
last_reviewed_on: 2022-10-26
last_reviewed_on: 2024-07-26
review_in: 6 months
---
# <%= current_page.data.title %>

You should track the list of users who have access to secrets by logging the permissions, such as accounts and credentials, associated with a security resource in a single, centralised Access Control List (ACL).
The ACL specifies who or what is allowed to access the resource containing secrets and the operations which are allowed to be performed on the resource. Also see Principle of Least Privilege for authentication and authorisation guidance.

ACL repositories used to log access to systems for storing and processing secrets should have designated colleagues within each directorate responsible for reviewing access granted on a defined periodic cadence (e.g. monthly, quarterly).
The ACL specifies who or what is allowed to access the resource containing secrets and the operations which are allowed to be performed on the resource. See [Principle of Least Privilege](/standards/principle-least-access.html) for guidance on minimising access rights.

User access rights must be reviewed when people change roles or teams as part of your joiners, leavers and movers process. ACLs should also be regularly reviewed on a predefined cadence (e.g. monthly, quarterly).

Identified exceptions should be raised with the colleague responsible for risk management in the directorate for escalation.

Teams ACL review should be documented to reflect:

* who (colleague) completed the review
* date review is undertaken
* next review date
* any changes to user status granted access, and the reason for change (if any).
* refer to new joiner, mover and leaver access process to reflect change in access status
* any changes to user status granted access, and the reason for change (if any)

## Further guidance
- [NCSC - 10 steps to cyber security](https://www.ncsc.gov.uk/collection/10-steps)
- [How to manage access to your third-party service accounts](/standards/accounts-with-third-parties.html)
- [NCSC Cyber Assessment Framework - Principle B2 Identity and Access Control](https://www.ncsc.gov.uk/collection/cyber-assessment-framework/caf-objective-b/principle-b2-identity-and-access-control)