APPL-08

Are access controls for staff within your organization based on structured rules, such as RBAC, ABAC, or PBAC?

Explanation

This question is asking whether your organization implements structured access control models for managing who can access what within your systems. Let me break down the key components: 1. Access Controls: These are security mechanisms that regulate who or what can view, use, or modify resources in a computing environment. 2. Structured Rules: The question specifically asks about formalized frameworks for managing these controls, not ad-hoc or manual assignments. 3. Types mentioned: - RBAC (Role-Based Access Control): Access permissions are assigned based on roles users have within the organization (e.g., 'HR Manager', 'System Administrator') - ABAC (Attribute-Based Access Control): Access decisions are based on attributes of users, resources, and environmental conditions (e.g., department, clearance level, time of day) - PBAC (Policy-Based Access Control): Access is determined by dynamic policies that can include conditional factors like location, device security posture, or risk scores Why this matters in security assessments: Structured access control models are fundamental to the principle of least privilege - ensuring people only have access to what they need for their job. Ad-hoc permission assignments tend to lead to excessive privileges over time, creating security vulnerabilities. Formalized models make access management more consistent, auditable, and maintainable. How to best answer: 1. Identify which model(s) your organization uses 2. Briefly explain how it's implemented (tools, processes) 3. Mention how it applies to all staff including administrators and third parties 4. If you use multiple models or a hybrid approach, explain that 5. If you don't use these structured models, be honest but explain what compensating controls you have in place

Guidance

This includes system administrators and third-party personnel with access to the system. PBAC would include various dynamic controls such as conditional access, risk-based access, location-based access, or system activity–based access.

Example Responses

Example Response 1

Yes, our organization implements Role-Based Access Control (RBAC) as our primary access control model across all systems and applications Access rights are assigned based on job functions and responsibilities, with predefined roles such as 'Read-Only User', 'Content Editor', 'Department Administrator', and 'System Administrator' We use Microsoft Azure AD and Okta for identity management, with role assignments managed through these platforms For system administrators and third-party vendors, we implement even stricter controls with temporary elevated access through a Privileged Access Management (PAM) solution that requires approval workflows and provides time-limited access All access grants are reviewed quarterly, and we maintain comprehensive logs of all access activities.

Example Response 2

Yes, we implement a hybrid approach combining RBAC and PBAC Our base access control structure uses role-based permissions aligned with job functions, but we enhance this with policy-based conditional access rules For example, administrators accessing sensitive systems must use company-managed devices, connect from approved networks or via VPN, and complete multi-factor authentication For third-party vendors, we implement just-in-time access that expires after a defined period and requires re-authorization Our system also evaluates risk signals during authentication attempts and may require additional verification steps based on unusual access patterns, location changes, or device characteristics This dynamic approach allows us to maintain security while providing appropriate access flexibility.

Example Response 3

No, we currently do not implement structured access control models like RBAC, ABAC, or PBAC across our organization Our access management is handled on a case-by-case basis by system owners who manually assign permissions based on email requests and manager approvals While we recognize this is not ideal from a security perspective, we are a small organization (under 50 employees) with limited IT resources We do maintain an access spreadsheet that documents who has access to what systems, and we conduct manual reviews of this documentation quarterly We are currently evaluating identity management solutions that would allow us to implement RBAC within the next 6-12 months as part of our security roadmap.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron