PR.AC-P: Identity Management, Authentication, And Access Control

Description

Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.

Framework Subcategories

PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-P2: Physical access to data and devices is managed

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-P3: Remote access is managed

[csf.tools Note: Subcategories do not have detailed descriptions.] Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.

PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

[csf.tools Note: Subcategories do not have detailed descriptions.] Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.

PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation)

[csf.tools Note: Subcategories do not have detailed descriptions.] Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.

PR.AC-P6: Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).

[csf.tools Note: Subcategories do not have detailed descriptions.]