6.8: Define and Maintain Role-Based Access Control

Control Statement

Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]