Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-6(7)

least privilege  | review of user privileges

assessment objective:

Determine if the organization:  

ac-6(7)(a)      

ac-6(7)(a)[1]

defines roles or classes of users to which privileges are assigned;

ac-6(7)(a)[2]

defines the frequency to review the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges;

ac-6(7)(a)[3]  

reviews the privileges assigned to organization-defined roles or classes of users with the organization-defined frequency to validate the need for such privileges; and

ac-6(7)(b)    

reassigns or removes privileges, if necessary, to correctly reflect organizational missions/business needs.

potential assessment methods and objects:

Examine: [select from: Access control policy; procedures addressing least privilege; list of system-generated roles or classes of users and assigned privileges; information system design documentation; information system configuration settings and associated documentation; validation reviews of privileges assigned to roles or classes or users; records of privilege removals or reassignments for roles or classes of users; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Automated mechanisms implementing review of user privileges].