Back

Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.


CONTROL ID
00510
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access classification scheme., CC ID: 00509

This Control has the following implementation support Control(s):
  • Include business security requirements in the access classification scheme., CC ID: 00002
  • Include third party access in the access classification scheme., CC ID: 11786


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization must limit system access on a need-to-know basis. (Control: 0405 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must not allow foreign nationals, including seconded foreign nationals, to access systems that communicate, store, or process australian eyes only information, unless effective procedures and controls have been implemented to ensure this information is not passed to or made accessib… (Control: 0409, Australian Government Information Security Manual: Controls)
  • The organization must not allow foreign nationals, excluding seconded foreign nationals, to access systems that communicate, store, or process australian government access only information, unless effective procedures and controls have been implemented to ensure this information is not passed to or … (Control: 0411, Australian Government Information Security Manual: Controls)
  • The organization must not allow foreign nationals, including seconded foreign nationals, to have access to systems that store, process, or communicate information with nationality releasibility markings that are not marked as releasable to their country. (Control: 0816, Australian Government Information Security Manual: Controls)
  • Database users must only be granted Access to the information and metadata in databases that they have the security clearances, briefs, and need-to-know. (Control: 1267, Australian Government Information Security Manual: Controls)
  • The organization must ensure the communications security custodian has a demonstrated need for Access before Access is granted. (Control: 0502 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must limit the Access to the gateway administration functions. (Control: 0611, Australian Government Information Security Manual: Controls)
  • The organization should grant access to Information Technology assets based on the risk assessment findings. (¶ 44(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • granting access based on a risk assessment. The use of contractors and temporary staffing arrangements may elevate the risk for certain roles; (¶ 44(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Users who do not have the clearance to access a file should not be able to see the filename when performing a search. (§ 3.5.35, Australian Government ICT Security Manual (ACSI 33))
  • (§ G.4.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Physical controls and/or logical controls should be implemented to restrict access to authorized personnel. (¶ 12.1, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The system should only allow qualified persons to certify the release of batches, when computerized systems are used to record certification and batch releases. (¶ 15, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user. (Art 94(2), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Are root-level, and other privileged access, given only on an as-needed basis? (Table Row IV.15, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • How are least-privilege and need-to-know determined for CSP personnel? (Appendix D, Implement Strong Access Control Measures Bullet 6, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Limit access to system components and cardholder data to only those individuals whose job requires such access. (§ 7.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Obtain and examine written policy for data control. (§ 7.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Access to cardholder data and system components must be limited to only individuals whose job requires such access. (PCI DSS Requirements § 7.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Limit access to system components and cardholder data to only those individuals whose job requires such access. (7.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Is access to privileged user IDs restricted as follows: - To least privileges necessary to perform job responsibilities? - Assigned only to roles that specifically require that privileged access? (7.1.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows: (7.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Restrict access to cardholder data by business need to know (Requirement 7:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows: (7.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is an access control system in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows: (7.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is there a written policy for access control that defines access needs and privilege assignments for each role? (PCI DSS Question 7.1 Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is there a written policy for access control that defines access needs and privilege assignments for each role? (PCI DSS Question 7.1 Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Security risks should be managed effectively. One type of security risk that should be addressed is logical access controls to applications. Key logical access control considerations include ensuring only key staff have access to sensitive data or particular transactions. (§ 5.2 (Logical Access), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Access Control arrangements should minimise the need for special access privileges (e.g., User IDs that have additional capabilities, such as 'administrator' in windows systems, or special capabilities, such as User IDs that can be used to authorize payments). (CF.06.01.04e, The Standard of Good Practice for Information Security)
  • Access to powerful system utilities should be restricted to a limited number of trusted individuals. (CF.07.02.04a-1, The Standard of Good Practice for Information Security)
  • Threats relating to reconnaissance should be mitigated by identifying and protecting information that is likely to be targeted (e.g., personal contact details of staff on websites or details of systems and applications used in the organization that are publicly accessible, such as advertising on web… (CF.11.02.03a, The Standard of Good Practice for Information Security)
  • Critical spreadsheets should be protected by limiting access to authorized individuals (e.g., by using password protection and creating Access Control Lists that limit access to spreadsheets or folders that contain spreadsheets). (CF.13.02.05b, The Standard of Good Practice for Information Security)
  • The integrity of information contained in Critical spreadsheets should be assured by restricting access to calculation areas (e.g., by using passwords). (CF.13.02.06b, The Standard of Good Practice for Information Security)
  • Critical databases should be protected by limiting access to authorized individuals (e.g., using password protection and creating Access Control Lists to limit access to databases or folders that contain databases). (CF.13.03.06b, The Standard of Good Practice for Information Security)
  • Network Storage System components (including Operating Systems, Storage Area Network switches and management consoles, and network access storage device Operating Systems and utilities) should be protected by using access controls that support individual accountability, and protected from unauthoriz… (CF.07.04.06b, The Standard of Good Practice for Information Security)
  • Network Storage System components (including Operating Systems, Storage Area Network switches and management consoles, and network access storage device Operating Systems and utilities) should be protected by restricting management functions (e.g., in Storage Area Network management consoles and net… (CF.07.04.06c, The Standard of Good Practice for Information Security)
  • Access Control arrangements should minimise the need for special access privileges (e.g., User IDs that have additional capabilities, such as 'administrator' in windows systems, or special capabilities, such as User IDs that can be used to authorize payments). (CF.06.01.04e, The Standard of Good Practice for Information Security, 2013)
  • Threats relating to reconnaissance should be mitigated by identifying and protecting information that is likely to be targeted (e.g., personal contact details of staff on websites or details of systems and applications used in the organization that are publicly accessible, such as advertising on web… (CF.11.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Critical spreadsheets should be protected by limiting access to authorized individuals (e.g., by using password protection and creating Access Control Lists that limit access to spreadsheets or folders that contain spreadsheets). (CF.13.02.05b, The Standard of Good Practice for Information Security, 2013)
  • The integrity of information contained in Critical spreadsheets should be assured by restricting access to calculation areas (e.g., by using passwords). (CF.13.02.06b, The Standard of Good Practice for Information Security, 2013)
  • Critical databases should be protected by limiting access to authorized individuals (e.g., using password protection and creating Access Control Lists to limit access to databases or folders that contain databases). (CF.13.03.06b, The Standard of Good Practice for Information Security, 2013)
  • Network Storage System components (including Operating Systems, Storage Area Network switches and management consoles, and network access storage device Operating Systems and utilities) should be protected by using access controls that support individual accountability, and protected from unauthoriz… (CF.07.04.06b, The Standard of Good Practice for Information Security, 2013)
  • Network Storage System components (including Operating Systems, Storage Area Network switches and management consoles, and network access storage device Operating Systems and utilities) should be protected by restricting management functions (e.g., in Storage Area Network management consoles and net… (CF.07.04.06c, The Standard of Good Practice for Information Security, 2013)
  • Access to powerful system utilities should be restricted to a limited number of trusted individuals. (CF.07.02.07a, The Standard of Good Practice for Information Security, 2013)
  • Access to the systems that contain the asset inventory database should be limited to authorized personnel only. (Critical Control 1.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems shall be restricted to personnel based upon the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering,… (IVS-11, Cloud Controls Matrix, v3.0)
  • Remote Log-in. Remote log-ins, whether from authorized personnel working away from the organization, from remote maintenance engineers, or personnel from other organizations, are accomplished either via dial-ups to the organization, Internet connections, dedicated trunks from other organizations, or… (¶ 13.3.2, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Logical access to and use of confidential information is restricted to identified purposes. (CC6.1 ¶ 4 Bullet 1 Restricts Access to and Use of Confidential Information for Identified Purposes, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The decision whether a given information should be protected or not depends on the context and cannot be made at product design. However, the fact that an organization limits access to information by configuring explicit read authorizations in the control system is an indicator that this information… (8.3.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Procedures exist to restrict logical access to the system, including restricting Access to system configurations, master passwords, security devices, Superuser functionality, and powerful utilities. (Security Prin. and Criteria Table § 3.2 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to restrict logical access to the system, including restricting Access to system configurations, master passwords, security devices, Superuser functionality, and powerful utilities. (Availability Prin. and Criteria Table § 3.5 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to restrict logical access to the system, including restricting Access to system configurations, master passwords, security devices, Superuser functionality, and powerful utilities. (Processing Integrity Prin. and Criteria Table § 3.6 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to restrict logical access to the system and the confidential information resources maintained on the system, including restricting Access to system configurations, master passwords, security devices, Superuser functionality, and powerful utilities. (Confidentiality Prin. and Criteria Table § 3.8 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Is system access limited? (§ H.2.5, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is system access limited by time of day? (§ H.2.5.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is system access limited by network subnet? (§ H.2.5.3, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • CMS business partner system managers and system developers/maintainers shall ensure that only authorized users access Medicare claims-related information and information systems. (§ 4.1.3 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.2: The organization must secure computer systems that process sensitive information against unauthorized access. CSR 2.5.4: The organization must restrict access to allow only employees who have a valid need-to-know and implement safeguards to prevent unauthorized access and ensure confident… (CSR 2.1.2, CSR 2.5.4, CSR 2.10.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (Supplement A § I.B.2(a), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must en… (§ 99.31(a)(1)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The agency head must ensure senior agency officials assess the risk and magnitude of harm that could result from unauthorized access to or disclosure, modification, use, disruption, or destruction of information or information systems; determine the appropriate information security levels necessary … (§ 3544(a)(2)(A) thru § 3544(a)(2)(C), Federal Information Security Management Act of 2002, Deprecated)
  • An assessment of whether access is needed for official duties and the identification of clearance level requirements should be the minimal that is involved in determining the need for access to protected assets. (§ 3.3 ¶ 2, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance manager must verify that users have a need-to-know before granting access to sensitive, restricted information. (§ 3.3 ¶ AC33.010, DISA Access Control STIG, Version 2, Release 3)
  • The Records Management Application shall be able to define access privileges for different user groups. (§ C2.2.7.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The organization must develop an information management system to protect classified material. (§ 5-200, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Health care clearinghouses which are part of larger organizations shall implement policies and procedures to protect the electronic protected health information from unauthorized access by the larger organization. (§ 164.308(a)(4)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must identify the persons or classes of persons who need to access protected health information for their duties and for each person or class of persons, the category or categories of protected health information which access is needed, along with any conditions for the access. A co… (§ 164.514(d)(2)(i)(A) and (B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and (§ 164.514(d)(2)(i)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The interstate identification index shall be accessed only for an authorized purpose. (§ 4.2.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall approve individual access privileges and shall enforce physical and logical access restrictions associated with changes to the information system; and generate, retain, and review records reflecting all such changes. The agency shall enforce the most restrictive set of rights/privil… (§ 5.5.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Agencies shall control access to CJI based on one or more of the following: (§ 5.5.2.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Agencies shall control access to CJI based on one or more of the following: (§ 5.5.2.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The agency shall approve individual access privileges and shall enforce physical and logical access restrictions associated with changes to the information system; and generate, retain, and review records reflecting all such changes. The agency shall enforce the most restrictive set of rights/privil… (§ 5.5.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Having proper security measures against the insider threat is a critical component for the CJIS Security Policy. This section's security terms and requirements apply to all personnel who have unescorted access to unencrypted CJI. Regardless of the implementation model – physical data center, virtu… (§ 5.12 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards. (App A Tier 2 Objectives and Procedures B.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Whether management bases access controls on a need-to-know basis. (App A Tier 2 Objectives and Procedures C.2 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • (§ 295F.02, GAO/PCIE Financial Audit Manual (FAM))
  • Is access to the computer facility limited to only appropriate employees? (IT - General Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is access to the Intrusion Detection System console controlled? (IT - IDS IPS Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the access to the password files controlled, if the passwords are maintained at the Credit Union? (IT - Member Online Services Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the administration of Information Security and the modification of system security parameters been limited to appropriate personnel? (IT - Security Program Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is remote access provided only to authorized internal personnel, if remote access to the server software is allowed? (IT - Servers Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.3.2 Bullet 3: Establish a policy specifying the purposes and circumstances that authorized personnel can access ePHI. § 4.4.1 Bullet 1: Implement policies and procedures to protect ePHI from unauthorized access when the healthcare clearinghouse is part of a larger organization. § 4.4.1 Bullet… (§ 4.3.2 Bullet 3, § 4.4.1 Bullet 1, § 4.4.1 Bullet 3, § 4.4.2 Bullet 1, § 4.4.2 Bullet 2, § 4.14.1 Bullet 1, § 4.14.5 Bullet 1, § 4.21.1 Bullet 1, § 4.21.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • (§ 3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Assess adequate access controls based on principles of least privilege and need-to-know. (T0475, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. (Identity Management, Authentication, and Access Control (PR.AC-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must restrict access to security functions to the least number of users as is necessary. (SG.AC-6 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should grant access to classified information with special protection measures only to individuals who have a valid access authorization. (App F § PS-6(2)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization ensures that access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties. (PS-6(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Have a valid access authorization that is demonstrated by assigned official government duties; (PS-6(2)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Have a valid access authorization that is demonstrated by assigned official government duties; (PS-6(2) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Have a valid access authorization that is demonstrated by assigned official government duties; (PS-6(2) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (Supp A § I. B. 2.(a), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • restrict access to personal information by unauthorized persons or state agencies; (¶ 2-6-1502(2)(c), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)