AC-6(7): Review Of User Privileges

Control Family:

Access Control

Parent Control:

AC-6: Least Privilege

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Threats Addressed:

Elevation of Privilege

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
AC-6(7): Review of User Privileges

Control Statement

The organization:

Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

Supplemental Guidance

The need for certain assigned user privileges may change over time reflecting changes in organizational missions/business function, environments of operation, technologies, or threat. Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.

Control Statement

Supplemental Guidance

Related Controls

Critical Security Controls Version 8