Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-3(4)

access enforcement | discretionary access control

assessment objective:

Determine if:

ac-3(4)[1]    

the organization defines discretionary access control policies to be enforced over defined subjects and objects;

ac-3(4)[2]    

the information system enforces organization-defined discretionary access control policies over defined subjects and objects where the policy specifies that a subject has been granted access to information and can do one or more of the following:

ac-3(4)[2](a)    

pass the information to any other subjects or objects;

ac-3(4)[2](b)    

grant its privileges to other subjects;

ac-3(4)[2](c)    

change security attributes on:

ac-3(4)[2](c)[a]

subjects,

ac-3(4)[2](c)[b]

objects,

ac-3(4)[2](c)[c]

the information system, or

ac-3(4)[2](c)[d]

the information system’s components;

ac-3(4)[2](d)    

choose the security attributes to be associated with newly created or revised objects; or

ac-3(4)[2](e)    

change the rules governing access control.

potential assessment methods and objects:

Examine: [select from: Access control policy; discretionary access control policies; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers].

Test: [select from: Automated mechanisms implementing discretionary access control policy].