Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-2(7)

account management  | role-based schemes

assessment objective:

Determine if the organization:

ac-2(7)(a)

establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;

ac-2(7)(b)

monitors privileged role assignments;

ac-2(7)(c)

ac-2(7)(c)[1]

defines actions to be taken when privileged role assignments are no longer appropriate; and

ac-2(7)(c)[2]

takes organization-defined actions when privileged role assignments are no longer appropriate.

potential assessment methods and objects:

Examine: [select from: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system-generated list of privileged user accounts and associated role; records of actions taken when privileged role assignments are no longer appropriate; information system audit records; audit tracking and monitoring reports; information system monitoring records; other relevant documents or records].

Interview: [select from: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms implementing account management functions; automated mechanisms monitoring privileged role assignments].