Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
AC-2 |
|||||
|
assessment objective: Determine if the organization: |
||||
ac-2(a) |
ac-2(a)[1] |
defines information system account types to be identified and selected to support organizational missions/business functions; |
|||
ac-2(a)[2] |
identifies and selects organization-defined information system account types to support organizational missions/business functions; |
||||
ac-2(b) |
assigns account managers for information system accounts; |
||||
ac-2(c) |
establishes conditions for group and role membership; |
||||
ac-2(d) |
specifies for each account (as required): |
||||
ac-2(d)[1] |
authorized users of the information system; |
||||
ac-2(d)[2] |
group and role membership; |
||||
ac-2(d)[3] |
access authorizations (i.e., privileges); |
||||
ac-2(d)[4] |
other attributes; |
||||
ac-2(e) |
ac-2(e)[1] |
defines personnel or roles required to approve requests to create information system accounts; |
|||
ac-2(e)[2] |
requires approvals by organization-defined personnel or roles for requests to create information system accounts; |
||||
ac-2(f) |
ac-2(f)[1] |
defines procedures or conditions to: |
|||
ac-2(f)[1][a] |
create information system accounts; |
||||
ac-2(f)[1][b] |
enable information system accounts; |
||||
ac-2(f)[1][c] |
modify information system accounts; |
||||
ac-2(f)[1][d] |
disable information system accounts; |
||||
ac-2(f)[1][e] |
remove information system accounts; |
||||
ac-2(f)[2] |
in accordance with organization-defined procedures or conditions: |
||||
ac-2(f)[2][a] |
creates information system accounts; |
||||
ac-2(f)[2][b] |
enables information system accounts; |
||||
ac-2(f)[2][c] |
modifies information system accounts; |
||||
ac-2(f)[2][d] |
disables information system accounts; |
||||
ac-2(f)[2][e] |
removes information system accounts; |
||||
ac-2(g) |
monitors the use of information system accounts; |
||||
ac-2(h) |
notifies account managers: |
||||
ac-2(h)(1) |
when accounts are no longer required; |
||||
ac-2(h)(2) |
when users are terminated or transferred; |
||||
ac-2(h)(3) |
when individual information system usage or need to know changes; |
||||
ac-2(i) |
authorizes access to the information system based on; |
||||
ac-2(i)(1) |
a valid access authorization; |
||||
ac-2(i)(2) |
intended system usage; |
||||
ac-2(i)(3) |
other attributes as required by the organization or associated missions/business functions; |
||||
ac-2(j) |
ac-2(j)[1] |
defines the frequency to review accounts for compliance with account management requirements; |
|||
ac-2(j)[2] |
reviews accounts for compliance with account management requirements with the organization-defined frequency; and |
||||
ac-2(k) |
establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. |
||||
potential assessment methods and objects: Examine: [select from: Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records]. Interview: [select from: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes account management on the information system; automated mechanisms for implementing account management]. |