About ISO 27001
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.
ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes. According to its documentation, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
While ISO 27001 standard applies to various kind of organizations with sensitive data the following industries are typically implementing this standard the most.
In IT industry software development companies, cloud companies, and IT support companies are typically implementing ISO 27001 to assure their clients by proving a certificate that they are able to safeguard their clients’ information in the best possible way or to comply with contractual security requirements from their main clients. In financial industry, banks, insurance companies, brokerage houses, and other financial institutions typically implement ISO 27001 when they want to comply with numerous laws and regulations. Telecommunication companies, including Internet providers, are trying to transparently protect the huge amount of data they handle, so naturally they look toward ISO 27001 as a framework that helps them do that. Government agencies looks for ISO 27001 to protect confidentiality, integrity and availability of the data they handle which is a cornerstone of the standard.
Several industries derive their own standards from ISO 27001 to tailor the standard requirements to their specific needs. Health organizations attempt to protect the data of their patients, pharmaceutical companies want to protect their R&D data, food processing companies protect their special recipes, manufacturing companies want to protect their knowledge on how certain parts are produced.
About Xton Access Manager
Xton Access Manager (XTAM) is an agentless, cross-platform privileged access management solution with unlimited licensing model built from the ground up with an enterprise feature set. Simple to implement, without your typical enterprise cost and effort.
A privileged account refers to non-individual, often shared, user accounts frequently used by machines for or by administrators to perform maintenance activities. Examples of such accounts include:
- Accounts used by machines to communicate between each other;
- Shared accounts shared by groups of people (external billing, corporate representatives);
- Accounts for Database Administrators, database schema, application pool owners, global administrators;
- Local computer accounts (root, administrator, tomcat, jenkins, jira);
- Built-in IoT accounts (sensors, printers, routers, coffee machines, cameras, beacons).
XTAM provides out-of-the-box features to discover, manage, access and monitor privileged accounts:
- A secure AES-256 encrypted Identity Vault to maintain total administrative control over all your passwords, certificates, key, files, secrets and privileged accounts.
- Privileged Session Recording to ensure all sessions are retained and can be used for diagnosis or forensic investigations.
- Integrated Job and Policy Engine to automate Password Resets, Privileged Account Discovery and repetitive tasks.
- Full system event and user Audit Trails that can trigger notifications and in-application alerts.
Recommended XTAM Workflow
XTAM supports multiple use cases and might be uses as a part of several security and productivity enhancement workflows. To help organizations to comply with NIST.SP.800-171 requirements we recommend the following workflow.
|Discover||Discover privileged accounts in the network using XTAM discovery facilities.|
|Import||Import privileged accounts to the XTAM vault from the discovery process or from other sources using the import facilities. Enter undiscovered privileges accounts into the XTAM vault.|
|Unlock||Authorize XTAM users to unlock passwords or certificates in XTAM vault when needed.|
|Access||Authorize XTAM users to connect to managed privileged accounts without disclosing credentials when needed using XTAM session manager.|
|Execute||Authorize XTAM users to execute privileged commands and scripts on managed information systems without disclosing credentials when needed using the XTAM job engine.|
|Monitor||Use XTAM notification facilities, audit log, history, job execution history and session history reports to monitor system activity. Stream system logs to your organization’s SIEM system for global analysis.|
Mapping XTAM Functions to the Guideline Requirements
To see how Xton Access Manager maps to the ISO 27001 standard, please download our PDF report.