Initial Stage - Limited Access Control:
When CW&L first started, its access control measures were rudimentary at best. All employees had relatively open access to systems and data, with little differentiation based on roles or job functions. This ‘one size fits all’ approach to access control was simpler to manage, but it left sensitive systems and data exposed to unnecessary risks.
Recognizing the Problem:
The lack of effective access control measures became painfully evident during the 2018 data breach. Intruders were able to easily move laterally through the network due to the lack of restrictions on access. The new CISO quickly identified the need for more stringent access control measures and made this a top priority in the cybersecurity overhaul.
Implementation Stage - Introducing Role-Based Access Control:
The first step towards implementing effective access controls was to define clear roles and responsibilities within the organization. Each role was carefully analyzed to determine the least amount of access necessary for employees to perform their jobs efficiently. This principle of ‘least privilege’ was crucial in minimizing the potential damage from both internal and external threats.
Once roles were defined, a Role-Based Access Control (RBAC) system was implemented. The RBAC system granted permissions based on roles, ensuring that individuals only had access to the data and systems necessary for their roles.
Enrichment Stage - Strengthening Authentication and Authorization:
In addition to RBAC, CW&L implemented stronger authentication mechanisms. Two-factor authentication (2FA) was introduced for all users, adding an extra layer of security.
For particularly sensitive operations, such as administrative tasks within the CDE, even stronger controls were implemented. This included measures such as multi-factor authentication and secure admin workstations.
Authorization measures were also tightened. Any changes in access rights were subject to approval from a senior manager, and regular audits were conducted to ensure access rights remained appropriate when roles or responsibilities changed.
Ongoing Maintenance - Regular Reviews and Audits:
With these systems in place, CW&L initiated regular reviews and audits of their access control measures. This helped ensure that the principle of least privilege was maintained as roles and responsibilities evolved within the organization. Access logs were also closely monitored to identify any irregularities or potential security incidents.
Current Status - Effective and Proactive Access Control:
Today, CW&L has a robust and proactive access control program in place. The journey from rudimentary access controls to a comprehensive, role-based access control system was a key component of their cybersecurity overhaul. It has played a significant role in their ability to achieve and maintain PCI DSS v4.0 compliance, and in significantly improving their overall security posture.