Why ISO/IEC 27001 Compliance

is Impossible without Privileged

Account Management
Written by Joseph Grettenberger, compliance risk advisor, Compliance Collaborators, Inc.

Introduction disclosures and data breaches. Achieving and proving your

compliance with such mandates requires you to mitigate the
For many organizations, compliance with information
security risk of privileged access to systems and data — and
security standards doesn’t seem to be getting easier. IT
implementing these privileged management controls will
security compliance efforts are forever competing with
also further your organization’s broader security goals.
projects to address ever-pressing information security threats,
operational vulnerabilities and daily business risks, and they In this paper, you’ll learn about IT security compliance for
often lose out in the battle for resources and funding. ISO/IEC 27001 from an auditor’s perspective. Although the
control objectives prescribed in ISO/IEC 27001 represent
However, the reality is that these areas do not have to
only a portion of the data security compliance obligations
compete. By implementing proven solutions that address
faced by many organizations, the standard is one of the most
multiple foundational controls, you can achieve and prove
widely used information security management frameworks
regulatory compliance while guarding against the risks that
worldwide. For information about other mandates intended
threaten everyday operations or even land organizations in
to protect sensitive data, please see my related papers on the
the headlines. For example, a key component of regulatory
Health Insurance Portability and Accountability Act (HIPAA),
compliance is implementing (and demonstrating that you
the Payment Card Industry Data Security Standard (PCI DSS)
have implemented) reasonable and appropriate IT-related
internal safeguards that minimize the risk of unauthorized and the Sarbanes-Oxley Act (SOX).
 The ISO/IEC 27001 security
standard
ISO/IEC 27001 is an information
security management standard
published by the International
Organization for Standardization
(ISO) and by the International
Electrotechnical Commission (IEC).
The most recent version is officially
titled “ISO/IEC 27001:2013, Information
technology — Security techniques —
Information security management
systems — Requirements,” which is
commonly abbreviated to “ISO 27001.”
ISO 27001 is used by organizations
worldwide more than any other to
establish, implement, maintain, assess
28 of the 35 control and continually improve a robust
information security management
objectives listed in ISO system (ISMS). Specifically, the
standard identifies the requirements for
27001 Annex A — a full establishing a framework for meeting
80 percent — either an organization’s information security
objectives. Among the requirements
imply or explicitly it specifies are leadership commitment,
address privileged an information security policy and
the official assignment of information
access management. security roles.
While ISO 20001 does not specify
which controls an organization must
adopt, it requires them to implement
treatment options for identified risks
that could realistically lead to a loss
of security. Thus, ISO 27001 requires
organizations to derive their own set
of control requirements, based at
least in part on a risk assessment, to
ensure implementation of all of its
ISMS requirements. To help, ISO 27001
provides a comprehensive catalog
of control objectives and controls
(Annex A) that organizations can use,
and points to a companion standard
(ISO/IEC 27002:2013) that provides
implementation details on each
control listed.
Streamlining compliance with
Dell Privileged Account
Management solutions
Privileged account management is
critical to ISO 27001 compliance
It is noteworthy that 28 of the 35
control objectives listed in ISO 27001
Annex A — a full 80 percent — either
imply or explicitly address privileged
2
account management in some
measure. Dell Privileged Account
Management (PAM) solutions can help
your organization comply with these
control objectives and related industry
best practices. You can monitor and
report on privileged activities in all
phases of the system development
lifecycle — and easily demonstrate your
organization’s compliance by quickly
responding to audit inquiries using
customizable, out-of-the-box reports.
Plus, the Dell PAM solutions provide a
separate database of activity records
that you can use to substantiate
security policy violations, for example,
to support personnel sanctions.
Dell PAM solutions enable
organizations to automate a
substantial number of ISO 27001
Annex A’s reference controls. For
example, minimal effort is required
for you to ensure that each system
user is uniquely identified; the
abuse of system accounts is actively
being prevented; strong password
management settings are enforced;
all privileged use activity is being
tracked, recorded and logged;
audit trails are secured; and explicit
approval by authorized parties is
required. Having these foundational
IT security measures operating in
both development and production
environments complements standard
user activity monitoring, malware
and intrusion detection controls —
providing the necessary layers for
the defense in depth approach to
information security needed in today’s
information risk climate.
The Dell privileged management
solutions discussed in this paper are:
• Privileged Password Manager
• Privileged Session Manager
• Privilege Manager for Sudo
Privileged Password Manager
Privileged Password Manager
automates, controls and secures
the entire process of granting
administrators the credentials
necessary to perform their duties.
It ensures that privileged access is
granted according to established
policies with appropriate approvals;
that all actions are fully audited and
tracked; and that passwords are
changed immediately upon their return.
Privileged Password Manager also
eliminates the security exposure posed
by embedded privileged passwords
required for applications to talk to
each other or to database by replacing
these hardcoded passwords with
programmatic calls that dynamically
retrieve the account credential.
Privileged Password Manager is
deployed on a secure, hardened
appliance
Privileged Session Manager
Privileged Session Manager enables
authorized trusted workforce members
to issue privileged access for a specific
period or session to administrators,
remote vendors and high-risk users —
with full recording and replay for
auditing and compliance. It provides
a single point of control from which
trusted workforce members can
authorize connections, limit access to
specific resources, allow only certain
commands to be run, view active
connections, record all activity, alert if
connections exceed pre-set time limits,
and terminate connections.
This solution is also deployed on
a secure, hardened appliance and
when combined with Privileged
Password Manager, it can completely
hide the account password from the
privileged user.
Privilege Manager for Sudo
Privilege Manager for Sudo enhances
sudo with a central policy server that Dell PAM solutions
enables centralized management
of sudo and the sudoers policy file,
substantially automate
as well as centralized reporting on privileged account
sudoers access rights and activities.
It also performs keystroke logging, management to help
complete with search and playback ensure compliance
capabilities, for in-depth auditing and
compliance requirements. Privilege with ISO 27001
Manager for Sudo is part of Dell
Privileged Access Suite for Unix.
control objectives and
industry best practices.
Meeting ISO 27001 requirements
with Dell PAM solutions
This chart on the following pages
provides a detailed mapping of ISO/
IEC 27001:2013 controls to the
capabilities of Dell privileged account
management solutions. You can use
this mapping to proactively identify and
address gaps in your ISO compliance
with Dell PAM solutions.

ISO/IEC 27001:2013 controls from Annex A

No. Control name How Dell PAM solutions help
A.5.1.1 Policies for information Privileged Password Manager, Privileged Session Manager and Privilege
security Manager for Sudo support the enterprise-wide access control and privileged
access management requirements that are part of every information security
A.6.1.1 Information security roles
policy. In particular, these tools help ensure that authorization and separation
and responsibilities
of duty (SoD) requirements are defined and enforced across all platforms in
A.6.1.2 Segregation of duties your network.
A.6.1.3 Contact with authorities Privileged Session Manager and Privileged Password Manager store recorded
sessions and logs in a secure, encrypted vault and Privilege Manager for Sudo
securely records keystrokes. These features provide organizations with a legally
defensible repository of privileged activities from which they can retrieve
court-admissible evidence using proper chain of custody controls.
A.6.1.5 Information security in With Dell PAM solutions, organizations can address questions that come from
project management an information security risk assessment conducted at an early stage of a project
by providing controls for granting and using privileged access. For example,
Privileged Password Manager can be used when a project begins to define
required security roles, and Privileged Session Manager can be used to
carefully control and track the actions of privileged sessions for all project users,
including remote users and contractors.

3
 ISO/IEC 27001:2013 controls from Annex A
No. Control name How Dell PAM solutions help
A.6.2.2 Teleworking (remote Organizations allowing remote access need a policy that restricts remote access
access) privileges. Privileged Password Manager can restrict unauthorized remote IP ad-
dresses for API and CLI sessions. Privileged Password Manager, Privileged Session
Manager and Privilege Manager for Sudo automatically generate randomized pass-
words to reduce the risk of pass-the-hash, credential harvesting and other exploits
that are often associated with remote access. And Privileged Session Manager also
protects against viruses, malware and other dangerous items that may exist on a
remote user’s system because it proxies all sessions to target resources. In addition,
it records all actions users perform.
A.7.2.1 Management Deploying Privileged Password Manager and Privileged Session Manager
responsibilities provides an excellent way for management to demonstrate its support of the
organization’s information security policies, procedures and controls.
A.7.3.1 Termination or change of Privileged Password Manager, Privileged Session Manager and Privilege
employment responsibilities Manager for Sudo can quickly terminate access privileges to sensitive information
and reduce or remove access to system accounts — even if a user has multiple
identities from holding different roles over many years with the organization.
A.8.1.1 Inventory of assets Privileged Password Manager and Privileged Session Manager can
automatically discover all systems in your organization’s directory and export a list
of active systems associated with the appliance, in either Excel or CSV format.
A.8.1.2 Ownership of assets Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo can ensure that only asset owners or those authorized by
asset owners can grant access privileges to specific assets.
A.8.1.3 Acceptable use of assets Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo can enforce a policy requiring that access privileges be granted
to only those areas, applications and functions required for assigned tasks.
A.8.2.2 Labeling of information Once an information classification scheme has been adopted and information
assets have been labeled per the scheme, you can configure the corresponding
privileged access request and approval requirements that are based on the scheme
into various procedural workflows in Privileged Password Manager.
A.9.1.1 Access control policy Privileged Password Manager and Privileged Session Manager can enforce
every logical access control identified in the “implementation guidance” and
“other information” provided for access control policies in ISO 27002:2013,
section 9.1.1.
A.9.1.2 Access to networks and Privileged Password Manager and Privileged Session Manager can enforce
network services every logical access control identified in the implementation guidance provided
for policies on the use of networks and network services in ISO 27002:2013,
section 9.1.2.
A.9.2.1 User registration and Privileged Password Manager and Privileged Session Manager provide
de-registration organizations with a ready-made framework designed to support:
A.9.2.2 User access provisioning • A formal user registration and de-registration process to enable
assignment of access rights
A.9.2.3 Management of privileged
access rights • A formal user access provisioning process to assign or revoke access rights
A.9.2.4 Management of secret for all user types to all systems and services
authentication information
• A full-featured model for the complete management and review of
of users
access rights
A.9.2.5 Review of user access
rights Features include the assignment of unique user IDs; the means to adjust or
revoke system access privileges across a variety of platforms in a timely manner
A.9.2.6 Removal or adjustment for users who have changed roles or have left the organization; and the assured
of access rights elimination of redundant user IDs across multiple platforms through a secure,
centralized repository for user credentials.
A.9.3.1 Use of secret authentication By automatically generating randomized passwords, Privileged Password
information Manager helps organizations keep authentication information confidential
by eliminating the need to remember passwords or record them in an
unsecure manner.

4
 ISO/IEC 27001:2013 controls from Annex A
No. Control name How Dell PAM solutions help
A.9.4.1 Information access Privileged Password Manager, Privileged Session Manager and Privilege
restriction Manager for Sudo can all restrict access to sensitive information (and system
functions that could potentially provide such access) per your organization’s
access control policy. Specifically, these solutions enable you to carefully
manage privileged access and grant access to privileged information via an
access request/approval workflow.
A.9.4.2 Secure log-on procedures Privileged Password Manager and Privileged Session Manager support a wide
variety of secure log-on procedures that meet the requirements of section 9.4.2.
A.9.4.3 Password management Privileged Password Manager, Privileged Session Manager and Privilege
system Manager for Sudo provide a centralized, secure password vault and password
request workflow for authorizing and managing privileged user access controls.
A.9.4.4 Use of privileged utility
They also enable you to grant and log temporary use of privileged utility
programs
programs across a variety of database and operating system platforms.
A.9.4.5 Access control to program Privileged Password Manager, Privileged Session Manager and Privilege
source code Manager for Sudo can ensure that support personnel do not have unrestricted
access to program source libraries and that developers do not have unrestricted
access to the live operating environment. Also, Privileged Session Manager can
record all session activities and Privilege Manager for Sudo can record all
commands run during a session. These detailed records of authorized privilege
activities can be used to review break/fix situations when emergency access to
source code was needed.
A.10.1.1 Policy on the use of All data stored in Privileged Password Manager and Privileged Session Manager
cryptographic controls is encrypted in storage and in transit. All connections to remote systems are
proxied through the appliance, ensuring a secure single access point.
A.11.2.4 Equipment maintenance Privileged Password Manager and Privileged Session Manager include an
intrusion switch that detects when the appliance’s cover is opened.
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and
assets off-premises
A.11.2.8 Unattended user
equipment
A.12.1.1 Documented operating By enabling you to grant temporary access for a particular task and automatically
procedures revoking it on schedule, Privileged Session Manager and Privilege Manager for
Sudo can support and record documented routine operating procedures such as
computer startup, shutdown, and backup, as well as non-routine procedures in
which emergency access is required for a particular situation and reviewed later
for proper accountability.
A.12.1.2 Change management Changes management is a foundational control for keeping unauthorized
changes out of production operating environments. Privileged Password Man-
ager, Privileged Session Manager and Privilege Manager for Sudo can enforce
change approval processes in both development and production environments.
In addition, these tools are ideal for emergencies, when quick (but controlled)
changes are required to resolve an incident.
A.12.1.3 Capacity management Session logs can be archived to external storage to ensure that physical
resources on the Privileged Password Manager and Privileged Session Manager
appliances are not exhausted.
A.12.1.4 Separation of development, Privileged Password Manager, Privileged Session Manager and Privilege
testing and operational Manager for Sudo can implement and enforce the privileged access authorization
environments aspects of separating operational, testing, and development environments.
A.12.2.1 Controls against malware Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo all greatly reduce the risk of malware spreading in your
network. For example, these solutions can restrict, manage and monitor activities
in which malicious software is known to infect a network, such as new software
downloads, automated software updates and unauthorized software installations.

5
 ISO/IEC 27001:2013 controls from Annex A
No. Control name How Dell PAM solutions help
A.12.3.1 Information backup By enabling you to grant temporary access for a particular task and automatically
revoking it on schedule, Privileged Session Manager and Privilege Manager for
Sudo can provide secure access to backup files, as well as manage and record
both scheduled and unscheduled backup procedures.
A.12.4.1 Event logging Privileged Password Manager and Privileged Session Manager protect logging
facilities and log information in at least three ways:
A.12.4.2 Protection of log
information • By permitting only authorized administrators to access them
A.12.4.3 Administrator and operator • By creating its own record of sensitive privileged sessions to supplement
logs the information contained in event logs

• By keeping a record of all authorized access to event logs.

In addition, the appliance has its own database event log, logon security log,
firewall log, Proc log (which collects information on cluster replication, software
updates, batch processing and system services), alert log and archive log. It
also gives you the option of securely replicating system admin, user activity and
failed login events to a non-destructive syslog server.
A.12.4.4 Clock synchronization Privileged Password Manager supports Network Time Protocol (NTP) to ensure
that clocks across all Dell devices are synchronized with a trusted time source.
A.12.5.1 Installation of software on Privileged Password Manager, Privileged Session Manager and Privilege
operational systems Manager for Sudo can reduce technical vulnerabilities, such as unauthorized
software downloads and installations, by enabling authorized administrators
A.12.6.1 Management of technical
to ensure that all appropriate reviews, analysis, testing and production update
vulnerabilities
scheduling is performed before software is installed.
A.12.6.2 Restrictions on software
installation
A.12.7.1 Information systems audit Many organizations have core business applications with their own native
controls auditing features. However, because organizations usually store and access
sensitive information on and from many systems, they need audit controls that
operate outside these systems.
Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo can provide audit teams with timed, recorded, scope-bounded,
read-only privileges to session recordings, enabling them to audit privileged
activities in many information systems that contain or provide access to sensitive
information. Privileged activities can be audited by user and by system.
A.13.1.1 Network controls Privileged Session Manager and Privilege Manager for Sudo can enforce
privileged access policies, monitor and record privileged activities on both servers
and network devices to ensure that controls are consistently applied across the
information processing infrastructure. For example, Privilege Manager for Sudo
can ensure that script files that include embedded sudo commands are
compatible across all Unix-based systems. In addition, all access to and from
the Privileged Session Manager appliance, which provides the central console
for these tools, is encrypted.
A.13.1.2 Security of network Privilege Manager for Sudo can ensure that all services requiring network access
services by network service providers are properly authorized and permitted only within
the access limitations of your organization’s network services agreements.
A.13.1.3 Segregation in networks Network segregation is a standard security control for isolating logical groups of
servers and users who have similar trust levels or who are working at the same
location or in the same department. This prevents network users from having
access to all devices in the organization’s network from those who generally do
not have a need to know.
Privileged Password Manager, Privileged Session Manager and Privilege
Manager for Sudo are designed to work with popular methods of network
segregation, such as subnets, Windows domains and AD forests, to support
multiple types of network segregation, such as location-specific, department-
specific or domain-specific sets of access controls.

6
Conclusion
When used to manage privileged
access to an organization’s systems
and underlying platforms that store
or protect the integrity of sensitive
data, Privileged Password Manager,
Privileged Session Manager, and
Privilege Manager for Sudo enable
organizations to automate a
substantial number of ISO 27001
Annex A’s reference controls for
protecting unauthorized access to
virtually all systems within the ISMS
scope. In short, Dell privileged
account management solutions
can help you achieve, maintain and
demonstrate compliance with many
ISO 27001 controls by helping you
manage the use of administrative
privileges, restricting access based
on need-to-know and recording the
activities performed in all controlled
environments by users using
privileged accounts. Moreover, by
addressing multiple foundational
controls and automating everyday
tasks, these solutions will further your
organization’s broader security goals
and deliver a sound return
on investment.
To learn more about Dell PAM solutions,
please visit software.dell.com/
solutions/privileged-management.
7
About the author
Joe Grettenberger has over 27 years
of experience as an IT assurance
professional, including eight years of
technology auditing experience in
both the public and private sectors. He
is certified as an information systems
auditor (CISA) and compliance & ethics
professional (CCEP), and has served
clients for over seven years as an IT
governance and risk management
consultant covering a wide range of IT
assurance issues within the regulatory,
legal, and industry compliance space.
Grettenberger has held IT audit,
assurance and advisory positions at
a number of organizations, including
Modern Compliance Solutions, Quest
Software, Vintela, Center 7, Franklin
Covey and SAIC. He started his own
consulting practice in 2008. He was
a recent participant in the Internet
Security Alliance initiative to promote
cross-industry IT security standards,
and he has participated in several
other standard-setting best practice
initiatives, including serving on
the SunTone Architecture Council
and chairing the MSP Association’s
Best Practice Committee. www.
compliancecollaborators.com
For More Information
© 2015 Dell, Inc. ALL RIGHTS RESERVED. This document
contains proprietary information protected by copyright. No
part of this document may be reproduced or transmitted
in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose
without the written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products —
as identified in this document — are registered trademarks
of Dell, Inc. in the U.S.A. and/or other countries. All other
trademarks and registered trademarks are property of their
respective owners.
The information in this document is provided in connection
with Dell products. No license, express or implied, by
estoppel or otherwise, to any intellectual property right
is granted by this document or in connection with the
sale of Dell products. EXCEPT AS SET FORTH IN DELL’S
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE
AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO
LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS,
IMPLIED OR STATUTORY WARRANTY RELATING TO ITS
PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR
A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES
FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
OF INFORMATION) ARISING OUT OF THE USE OR INABILITY
TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no
representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves
the right to make changes to specifications and product
descriptions at any time without notice. Dell does not make
any commitment to update the information contained in
this document.

About Dell Software

Dell Software helps customers unlock greater potential through
the power of technology — delivering scalable, affordable and
simple-to-use solutions that simplify IT and mitigate risk. The
Dell Software portfolio addresses five key areas of customer
needs: data center and cloud management, information
management, mobile workforce management, security and data
protection. This software, when combined with Dell hardware
and services, drives unmatched efficiency and productivity to
accelerate business results. www.dellsoftware.com.

If you have any questions regarding your potential use of

this material, contact:

Dell Software
5 Polaris Way
Aliso Viejo, CA 92656
www.dellsoftware.com

Refer to our Web site for regional and international

office information.

TechBrief-ISO/IEC-27001-Compliance-US-AC-26688