Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

AC-2

assessment objective:

Determine if the organization:

ac-2(a)

ac-2(a)[1]

defines information system account types to be identified and selected to support organizational missions/business functions;

ac-2(a)[2]

identifies and selects organization-defined information system account types to support organizational missions/business functions;

ac-2(b)

assigns account managers for information system accounts;

ac-2(c)

establishes conditions for group and role membership;

ac-2(d)

specifies for each account (as required):  

ac-2(d)[1]

authorized users of the information system;

ac-2(d)[2]

group and role membership;

ac-2(d)[3]

access authorizations (i.e., privileges);

ac-2(d)[4]

other attributes;

ac-2(e)

ac-2(e)[1]

defines personnel or roles required to approve requests to create information system accounts;

ac-2(e)[2]

requires approvals by organization-defined personnel or roles for requests to create information system accounts;

ac-2(f)

ac-2(f)[1]

defines procedures or conditions to:

ac-2(f)[1][a]

create information system accounts;

ac-2(f)[1][b]

enable information system accounts;

ac-2(f)[1][c]

modify information system accounts;

ac-2(f)[1][d]

disable information system accounts;

ac-2(f)[1][e]

remove information system accounts;

ac-2(f)[2]

in accordance with organization-defined procedures or conditions:

ac-2(f)[2][a]

creates information system accounts;

ac-2(f)[2][b]

enables information system accounts;

ac-2(f)[2][c]

modifies information system accounts;

ac-2(f)[2][d]

disables information system accounts;

ac-2(f)[2][e]

removes information system accounts;

ac-2(g)

monitors the use of information system accounts;

ac-2(h)

notifies account managers:

ac-2(h)(1)

when accounts are no longer required;

ac-2(h)(2)

when users are terminated or transferred;

ac-2(h)(3)

when individual information system usage or need to know changes;

ac-2(i)

authorizes access to the information system based on;

ac-2(i)(1)

a valid access authorization;

ac-2(i)(2)

intended system usage;

ac-2(i)(3)

other attributes as required by the organization or associated missions/business functions;

ac-2(j)

ac-2(j)[1]

defines the frequency to review accounts for compliance with account management requirements;

ac-2(j)[2]

reviews accounts for compliance with account management requirements with the organization-defined frequency; and

ac-2(k)

establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

potential assessment methods and objects:

Examine: [select from: Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes account management on the information system; automated mechanisms for implementing account management].