Book Demo!

List of Standards and Regulations

About ISO 27001

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.

ISO 27001 (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes. According to its documentation, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”

While ISO 27001 standard applies to various kind of organizations with sensitive data the following industries are typically implementing this standard the most.

In IT industry software development companies, cloud companies, and IT support companies are typically implementing ISO 27001 to assure their clients by proving a certificate that they are able to safeguard their clients’ information in the best possible way or to comply with contractual security requirements from their main clients. In financial industry, banks, insurance companies, brokerage houses, and other financial institutions typically implement ISO 27001 when they want to comply with numerous laws and regulations. Telecommunication companies, including Internet providers, are trying to transparently protect the huge amount of data they handle, so naturally they look toward ISO 27001 as a framework that helps them do that. Government agencies looks for ISO 27001 to protect confidentiality, integrity and availability of the data they handle which is a cornerstone of the standard.

Several industries derive their own standards from ISO 27001 to tailor the standard requirements to their specific needs. Health organizations attempt to protect the data of their patients, pharmaceutical companies want to protect their R&D data, food processing companies protect their special recipes, manufacturing companies want to protect their knowledge on how certain parts are produced.

About Xton Access Manager

Xton Access Manager (XTAM) is an agentless, cross-platform privileged access management solution with unlimited licensing model built from the ground up with an enterprise feature set. Simple to implement, without your typical enterprise cost and effort.

A privileged account refers to non-individual, often shared, user accounts frequently used by machines for or by administrators to perform maintenance activities. Examples of such accounts include:

  • Accounts used by machines to communicate between each other;
  • Shared accounts shared by groups of people (external billing, corporate representatives);
  • Accounts for Database Administrators, database schema, application pool owners, global administrators;
  • Local computer accounts (root, administrator, tomcat, jenkins, jira);
  • Built-in IoT accounts (sensors, printers, routers, coffee machines, cameras, beacons).

XTAM provides out-of-the-box features to discover, manage, access and monitor privileged accounts:

  • A secure AES-256 encrypted Identity Vault to maintain total administrative control over all your passwords, certificates, key, files, secrets and privileged accounts.
  • Privileged Session Recording to ensure all sessions are retained and can be used for diagnosis or forensic investigations.
  • Integrated Job and Policy Engine to automate Password Resets, Privileged Account Discovery and repetitive tasks.
  • Full system event and user Audit Trails that can trigger notifications and in-application alerts.

Recommended XTAM Workflow

XTAM supports multiple use cases and might be uses as a part of several security and productivity enhancement workflows. To help organizations to comply with NIST.SP.800-171 requirements we recommend the following workflow.

Step Description
Discover Discover privileged accounts in the network using XTAM discovery facilities.
Import Import privileged accounts to the XTAM vault from the discovery process or from other sources using the import facilities. Enter undiscovered privileges accounts into the XTAM vault.
  • Define password rotation policy for imported or entered privileged accounts describing when and how the passwords should be rotated for groups of accounts or individual accounts.
  • Grant and revoke access to privileged account records or groups of records in the XTAM vault for the organization of users and groups.
  • Use Microsoft Active Directory, LDAP based user directory or local XTAM user directory as a directory of the organization of users and groups.
  • Let the XTAM engine change passwords for managed accounts. Alternatively, change privileged accounts passwords manually and update the XTAM vault.
  • After this step all privileged account activities will be performed using the XTAM instance because the actual password would be unknown to all users.
Unlock Authorize XTAM users to unlock passwords or certificates in XTAM vault when needed.
Access Authorize XTAM users to connect to managed privileged accounts without disclosing credentials when needed using XTAM session manager.
Execute Authorize XTAM users to execute privileged commands and scripts on managed information systems without disclosing credentials when needed using the XTAM job engine.
Monitor Use XTAM notification facilities, audit log, history, job execution history and session history reports to monitor system activity. Stream system logs to your organization’s SIEM system for global analysis.

Mapping XTAM Functions to the Guideline Requirements

To see how Xton Access Manager maps to the ISO 27001 standard, please download our PDF report.

Copyright © 2020 Xton Technologies, LLC. All rights reserved.