IAM-09: User Access Authorization

Control Family:

Identity & Access Management

CSF v1.1 References:

ID.GV-2
PR.AC-1
PR.AC-4
PR.AC-6
PR.IP-11

PF v1.0 References:

GV.PO-P3
PR.PO-P9
PR.AC-P1
PR.AC-P4
PR.AC-P6

Threats Addressed:

Elevation of Privilege

Control Statement

Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer (tenant) of this user access, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.

Control Statement

Related Controls

NIST Special Publication 800-53 Revision 5

NIST Special Publication 800-53 Revision 4