3.7 Sensitivity Scores
Trustle utilizes a structured system called Sensitivity Scores (SS) to manage access permissions across different organizational levels. These scores range from 0 to 4 and define the approval requirements necessary before access can be granted:
Sensitivity Score Definitions:
- SS 0: No approval required. Access is automatically provisioned upon request.
- SS 1: No approval needed, but notifications are sent upon access request and provision.
- SS 2: Manager approval required before access can be granted.
- SS 3: Both manager and owner approvals are needed before granting access.
- SS 4: Approval from a manager, an owner, and an executive is required to grant access.
Hierarchical Settings and Inheritance:
Sensitivity Scores are applied across three hierarchical levels: global settings, system settings, and group settings. These scores help manage access based on the sensitivity and risk associated with the data or resources.
- Global Settings: These are the top-level settings that apply universally across all systems and groups within the organization. If a global Sensitivity Score is set, for example, at SS 2, it serves as the default setting for system and group levels unless specifically overridden.
- System Settings: This level pertains to specific systems (e.g., AWS, Azure). System settings inherit the global Sensitivity Score by default but can be adjusted to reflect the unique risks associated with that particular system.
- Group Settings: Within each system, groups can have customized Sensitivity Scores. While these scores inherit their default value from the system or global settings, they can be specifically tailored to address the risk level of the group’s resources.
Constraints and Flexibility:
The global setting not only sets a default but also caps the maximum duration of approval and access settings enforceable at the system and group levels. For example, if the global level has an approval and access duration of 3 months, these durations at the system and group levels cannot exceed 3 months but can be reduced to address specific security requirements.
This tiered approach to Sensitivity Scores allows for granular control over access permissions, enabling organizations to protect their assets effectively based on the assessed level of risk at each hierarchical level. It ensures that sensitive resources are safeguarded appropriately while maintaining flexibility in access management across different parts of the organization.