PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PF v1.0 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AC-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
AC-2: Account Management
Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; Specify: Authorized users of the system; Group and role membership; and Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; Require…
AC-3: Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-5: Separation of Duties
Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and Define system access authorizations to support separation of duties.
AC-6: Least Privilege
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-14: Permitted Actions Without Identification or Authentication
Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
AC-16: Security and Privacy Attributes
Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; Ensure that the attribute associations are made and retained with the information; Establish the following permitted security and privacy attributes from the attributes defined in…
AC-24: Access Control Decisions
[Assignment: Establish procedures, Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
NIST Special Publication 800-171 Revision 2
3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide…
3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of- origin. In defining other account…
3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity without collusion
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming,…
3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts
Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary,…
3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on…
3.1.7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non- privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this…
3.1.8: Limit unsuccessful logon attempts
This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations…
3.1.10: Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be…
3.1.11: Terminate (automatically) a user session after a defined condition
This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such…
3.5.3: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts
Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response…
3.5.4: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts
Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. [SP 800-63-3] provides guidance on digital identities.
3.13.3: Separate user functionality from system management functionality
System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of…
3.13.4: Prevent unauthorized and unintended information transfer via shared system resources
The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from…
Cloud Controls Matrix v3.0.1
IAM-02: Credential Lifecycle / Provision Management
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes,…
IAM-04: Policies and Procedures
Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control access to network resources based on user identity.
IAM-05: Segregation of Duties
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for restricting user access as per defined segregation of duties to address business risks associated with a user-role conflict of interest.
IAM-09: User Access Authorization
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer…
IAM-10: User Access Reviews
User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization’s business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies…
Critical Security Controls Version 8
3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
5: Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
NIST Special Publication 800-53 Revision 4
AC-1: Access Control Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and Reviews and updates the current: Access control policy [Assignment:…
AC-2: Account Management
The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; Assigns account managers for information system accounts; Establishes conditions for group and role membership; Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other…
AC-3: Access Enforcement
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-5: Separation Of Duties
The organization: Separates [Assignment: organization-defined duties of individuals]; Documents separation of duties of individuals; and Defines information system access authorizations to support separation of duties.
AC-6: Least Privilege
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AC-14: Permitted Actions Without Identification Or Authentication
The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
AC-16: Security Attributes
The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; Ensures that the security attribute associations are made and retained with the information; Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and Determines…
AC-24: Access Control Decisions
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
Critical Security Controls Version 7.1
4: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
14: Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.