APPL-01

Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?

Explanation

This question is asking whether your organization implements structured, systematic approaches to controlling access to your systems and data, specifically for institutional accounts (those belonging to the institution being assessed). Structured access control models like RBAC, ABAC, and PBAC provide organized frameworks for determining who can access what: 1. Role-Based Access Control (RBAC): Access permissions are assigned based on job roles or functions. For example, all HR staff might have access to personnel files, while IT administrators have access to system configurations. 2. Attribute-Based Access Control (ABAC): Access decisions are made based on attributes of users, resources, actions, and environment. For example, access might depend on a user's department, security clearance, time of day, or location. 3. Policy-Based Access Control (PBAC): Access is determined by centralized policies that can incorporate dynamic factors like conditional access (e.g., requiring MFA for sensitive operations), risk-based access (adjusting requirements based on risk scores), or location-based controls. This question is being asked because ad-hoc or unstructured access control approaches are more prone to errors, inconsistencies, and security gaps. Structured approaches ensure access rights are granted according to consistent principles, can be audited effectively, and can be managed at scale. They reduce the risk of excessive privileges and help maintain the principle of least privilege. To best answer this question: - Clearly identify which structured model(s) you use (RBAC, ABAC, PBAC, or a combination) - Provide specific examples of how these models are implemented - Explain how these controls apply to different types of accounts (end users, administrators, service accounts) - If you use dynamic controls (like conditional access), highlight these as they demonstrate more sophisticated security practices - If you don't use structured access controls, explain your alternative approach and any plans to implement structured controls in the future

Guidance

This includes end users, administrators, service accounts, etc. PBAC would include various dynamic controls such as conditional access, risk-based access, location-based access, or system activity–based access.

Example Responses

Example Response 1

Yes, our application implements Role-Based Access Control (RBAC) as the primary access control model for all institutional accounts User permissions are assigned based on predefined roles that align with job functions (e.g., Student, Instructor, Department Admin, System Admin) For administrative and service accounts, we implement additional Policy-Based Access Control (PBAC) elements, including conditional access that requires multi-factor authentication for privileged operations and location-based restrictions that limit administrative access to specific IP ranges All access control policies are centrally managed through our Identity and Access Management (IAM) system, with regular reviews to ensure the principle of least privilege is maintained.

Example Response 2

Yes, we implement a hybrid approach combining RBAC and ABAC models Our base permissions structure uses RBAC with clearly defined roles for different user types (end users, departmental administrators, and system administrators) This is enhanced with attribute-based controls that consider factors such as data sensitivity classifications, user department, and project assignments For example, a researcher might have access to specific datasets only if they are part of an approved research team AND the data sensitivity level matches their clearance AND they're accessing from an approved network Service accounts operate under strict RBAC controls with time-limited access tokens and are regularly audited All access control decisions are logged for compliance and security monitoring purposes.

Example Response 3

No, our current access control system does not fully implement structured rules like RBAC, ABAC, or PBAC We currently use a custom permission system where access rights are assigned individually to users based on manager approval While this system has worked for our small organization, we recognize the limitations as we scale We're currently in phase 2 of a 3-phase project to implement RBAC across all institutional accounts, with completion expected in Q3 of this year The first phase, which included mapping all job functions to appropriate role definitions, has been completed We're currently implementing these roles in our identity management system, and the final phase will involve migrating all users to the new role-based structure.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron