I want to be able to control who can read-write, consult, etc.
Office 365 SaaS - Microsoft Teams; therefore no RBAC , no ACLs just administrator say-so...
- Do any formalized decision trees or procedures exist?
- My suspicion is that some documentation supporting AC-21 from NIST SP 800 53r4 might work
You are probably going to have to write your own procedures, based on the details of your own enterprise. The nature of the information relative to job responsibilities will drive your basic rules on who can read existing documents and who can change or delete them, and who can add new ones. Most of the procedures will be manual, with only minimal automated implementation.
A few items to consider:
1. Everyone granted any level of access to the sensitive documents should complete a short basic training on the what and why of protecting sensitive information as well as a crib sheet on Traffic Light Protocol.
2. Each person granted any access level must sign an acknowledgement of the training and acceptance of the responsibilities.
3. The system administrator who controls the actual system level permissions must not also be the approval authority for access.
4. The basic rules for access should be simple. clear, and available for all to read.
5. You need a small pool of appointed approvers who can review requests for access and send approvals to the SysAdmin.
6. Set up a formal process of request by the individual or a supervisor, approval by one of the appointed approvers, and confirmed implementation by the sysadmin, with records of each action preserved. (If your enterprise has a solid workflow system, you can use that system.)
7. Make every approval time-limited, not open ended, so the accesses are checked for currency or departed employees on a regular basis.
8. Audit the process annually, comparing the access records in the system to the records of approvals and dates. This audit is a check for rogue approvals by the sysadmin as well as to cull the list of those no longer needing access.
As you noted, written procedures and records of the above will easily pass a compliance check for AC-21.