AC-3(11): Restrict Access to Specific Information Types

Control Family:

Access Control

CSF v1.1 References:


(Not part of any baseline)

Info icon.

Control is new to this version of the control set.

Control Statement

Restrict access to data repositories containing [Assignment: organization-defined information types].

Supplemental Guidance

Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.