Compliance

The principle of least privilege requires that a user should be given no more privileges than is required to perform their job function. An important aspect of implementing least privilege is to avoid letting users logon to their desktops with admin rights. In practice this can be difficult to achieve, as a user must be granted the privileges necessary to perform all of their tasks.

The concept of least privilege has become more prevalent in recent years due to the need for many organizations to be compliant with standards such as USGBC, PCI DSS, Government Connect and HIPAA.

Avecto Privilege Guard can play a key role in implementing a least privilege environment and deploying compliant desktops. Read more in our Regulatory Compliance and Least Privilege Security Whitepaper.

USGCB

The USGCB, an OMB (U.S. Office of Management and Budget) mandate, requires that all Federal Agencies standardize the configuration of approximately 300 settings on each of their Windows XP and Vista Computer. Chief among these is the removal of admin rights.

• The complete removal of all user administrator privileges

Code of Connection

The GCSX Code of Connection (CoCo) is a list of security controls and is a mandatory requirement for connection to GCSX.

• 4.2 Configuration: The execution of unauthorized software is prevented.
• 4.3 Configuration: Organizations have in place a configuration control process which prevents unauthorized changes to the standard build of network devices and hosts (this includes both clients and servers).
• 13.2 Protective Monitoring: Audit logs recording user activities, exceptions and information security events are available to be produced to assist in investigations and access control monitoring.
• 18.1 Web Enabled Applications: The web browser and other web-enabled applications, such as media players do not run in the context of a privileged user.

PCI Compliance

For businesses that store or process credit card information there are two references to users privileges under the current version of PCI DSS in Requirement 7:

• 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities.
• 7.2.2 Assignment of privileges to individuals based on job classification and function.

HIPPA

Due to the high-level nature of HIPAA directives, COBIT (Control Objectives for Information and Related Technology) is generally used as the standard by which the technical aspects of the regulations are audited.

• DS 5.3 Identity Management - Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities.
• DS 5.4 User Account Management - Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
• DS 5.7 Protection of Security Technology - Make security-related technology resistant to tampering.
• DS 5.9 Malicious Software Prevention, Detection and Correction - Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) organization to protect information systems and technology from malware (e.g. viruses, worms, spyware, spam).