Control 8.3 : Information Access Restriction

Summary

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. This ensures that users can only interact with data that is necessary for their specific job function.

Applicability

In-Scope: Essential for preventing internal data breaches and lateral movement by an attacker. It supports data sovereignty and privacy requirements by ensuring strict boundaries between departments.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Role-Based Access Control (RBAC): Use Entra ID and SharePoint groups to grant permissions based on job roles rather than assigning rights to individual users.
Sensitivity Labels: Utilize Microsoft Purview Information Protection to apply labels that automatically restrict access based on the data's classification (e.g., HR-only or Finance-only).
Conditional Access: Implement Entra ID Conditional Access policies to restrict access to sensitive applications based on location, device health, and risk level.

Evidence Checklist

Access Control Policy: Documented rules for how data access is granted, maintained, and revoked.
Permission Reports: Evidence from SharePoint or Teams showing the current members of restricted groups.
Access Logs: Audit trails from Microsoft Purview showing who accessed or attempted to access sensitive information.

Practical Audit Advice

Here are some questions the auditor might ask:

How does the organization identify over-privileged users who have access to data they no longer need for their current role?
What technical controls prevent a user in the Finance department from accessing sensitive HR records?
Can you demonstrate how access to a specific confidential project folder is automatically revoked when a team member leaves that project?
How are guest users or external partners restricted from browsing the organization's internal directory or other non-relevant SharePoint sites?