Back

Establish, implement, and maintain access control policies.


CONTROL ID
00512
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access control program., CC ID: 11702

This Control has the following implementation support Control(s):
  • Include compliance requirements in the access control policy., CC ID: 14006
  • Include coordination amongst entities in the access control policy., CC ID: 14005
  • Include management commitment in the access control policy., CC ID: 14004
  • Include roles and responsibilities in the access control policy., CC ID: 14003
  • Include the scope in the access control policy., CC ID: 14002
  • Include the purpose in the access control policy., CC ID: 14001
  • Establish, implement, and maintain an instant messaging and chat system usage policy., CC ID: 11815
  • Disseminate and communicate the access control policies to all interested personnel and affected parties., CC ID: 10061


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • External auditors should review the system specifications to confirm the proper development of the system, including access control measures, like user authentication. (Practice Standard § III.4(2)[2].C.b, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Determining security requirements, access criteria and backup requirements for the information assets they own (Information owner ¶ 1 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establishing user access criteria, availability requirements and audit trails for their applications (Application owner ¶ 1 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Recovery measures, user access and data protection controls, at the minimum, should be implemented for such applications. (§ 6.4.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization must follow the requirements for temporary access to classified information before it grants temporary system access to personnel. (Control: 0440, Australian Government Information Security Manual: Controls)
  • The organization should not allow classified information or sensitive information to be accessed from systems and facilities that are not under the sole control of the australian government, unless a security of information agreement is in place with the foreign government. (Control: 0855, Australian Government Information Security Manual: Controls)
  • The organization must not allow Australian Eyes Only information or Australian Government Access Only information to be accessed from systems and facilities that are not under the sole control of the australian government. (Control: 0854, Australian Government Information Security Manual: Controls)
  • The organization should not allow privileged access to be used remotely on unclassified systems, including logging in as an unprivileged user and escalating privileges. (Control: 0985, Australian Government Information Security Manual: Controls)
  • The organization must not allow privileged access to be used remotely on classified systems, including logging in as an unprivileged user and escalating privileges. (Control: 0709, Australian Government Information Security Manual: Controls)
  • The organization should include the granting, identification, and authorizing of access to Information Technology assets by individuals and other assets in the policy framework. (¶ 27(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • identification, authorisation and granting of access to IT assets (by individuals and other IT assets); (¶ 27(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • All users should have the proper clearances and need-to-know before they are granted access to the system. Access to the system should be approved by the user's supervisor or manager. (§ 3.2.14, § 3.6.29, Australian Government ICT Security Manual (ACSI 33))
  • (§ 4.2, § D.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These proc… (3.4.2 31, Final Report EBA Guidelines on ICT and security risk management)
  • human resources security, access control policies and asset management; (Article 21 2(i), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administ… (Art. 9.4. ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • A role and rights concept based on the business and security requirements of the cloud provider as well as a policy for the management of system and data access authorisations are documented, communicated and provided according to SA-01 and address the following areas: (Section 5.7 IDM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • A policy for the handling of login information is defined and implemented. The following aspects are considered: (4.1.3 Requirements (must) Bullet 7, Information Security Assessment, Version 5.1)
  • Prevention of unauthorized persons gaining access and information (privileged users): (C) (4.2.1 Additional requirements for very high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • When electronic and data equipment can only be accessed with the authentication credential's confidential component, appropriate instructions must be given, in writing and in advance, that clearly specifies the mechanisms that the data controller can use to ensure data or electronic equipment is ava… (Annex B.10, Italy Personal Data Protection Code)
  • App 2 ¶ 14.d: For IT systems that process and access restricted information, the system shall have internal access controls that prevent unauthorized users from modifying or accessing data. This is applicable to UK contractors. App 6 ¶ 15.d: For IT systems that process and access UK restricted inf… (App 2 ¶ 14.d, App 6 ¶ 15.d, The Contractual process, Version 5.0 October 2010)
  • Safeguards should be implemented to control access to and the use of information and data. (¶ 34, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Are users allowed to log on if a firewall is not in place? (Table Row II.30, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has the organization established policies to restrict, control, or monitor systems access by vendors, contractors, and other outsourced personnel? (Table Row II.36, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • System security management should include defining the levels of infrastructure access. (¶ 19.2 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • How are layers of access controls managed to ensure the aggregate access is not more than intended? (Appendix D, Implement Strong Access Control Measures Bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Restrict cardholder data by business need to know rules. (§ 7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Restrict cardholder data by business need to know rules. (PCI DSS Requirements § 7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows: - Is there a written policy for access control that incorporates the following? - Defining access needs and privilege assignments for each role - Restriction of access to… (7.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Documented. (7.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (7.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (7.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures identified in Requirement 7 are managed in accordance with all elements specified in this requirement. (7.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Documented. (7.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (7.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (7.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (7.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (7.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (7.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization should ensure Visa's Cardholder Information Security Program requirements are implemented. (Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Access to information in electronic format is necessary to use continuous auditing effectively. The access method selection should take into account factors such as network traffic, system performance, and volumes of data. The attainment of proper access rights must be ensured by the Chief Audit Exe… (§ 6 (Accessing Data), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • In order to operate a system, administrative access is required. IT auditors should ensure system administrators only have access required to perform their job responsibilities. Consideration also should be given to splitting access for performing a function; ensuring generic IDs are not shared amon… (App A.7, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Security risks should be managed effectively. One type of security risk that should be addressed is logical access controls to applications. Key logical access control considerations include the following: verifying the security requirements specified in the contract have been implemented; reporting… (§ 5.2 (Logical Access), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The process of creating, changing, terminating, validating, approving, propagating, and communicating identities should be captured in a company-specific and universally-applied policy statement. The policy should be written by the IT department with input from other business units. The identity and… (§ 3 ¶ 3, § 3.3.2 (Granting Privileged Account Access to an Identity), § 3.4.4 ¶ 1, § 3.5.3, App A, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • Business applications should be protected against unauthorized access to information by employing secure defaults (e.g., requiring authentication and recording user activity in an event log as a preselected option). (CF.04.01.02c, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the relationship with customers to be granted access (from well-known, established customers to new, unknown organizations). (CF.05.01.06a, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the types of business process to be performed by customers (e.g., information retrieval, order submission, or funds transfer). (CF.05.01.06b, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the restrictions imposed by legal or regulatory requirements (e.g., basel iii, Sarbanes-Oxley Act, or the Payment Card Industry Data Security Standard). (CF.05.01.06c, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the controls required to protect Personally Identifiable Information. (CF.05.01.06d, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the need for information classification definitions and protection levels to be compatible. (CF.05.01.06e-1, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the need for information classification definitions and protection levels to be consistent. (CF.05.01.06e-2, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the information security implications of providing services to customers in different legal jurisdictions. (CF.05.01.06f, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the lack of direct control over individuals or system components used by customers. (CF.05.01.06g, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant business aspects, including the obligations to customers (e.g., to provide a reliable service and supply timely, accurate information). (CF.05.01.06h, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant technical aspects, including the types of connection to business applications (e.g., leased line, Internet, mpls, or isdn). (CF.05.01.07b, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant technical aspects, including the need for user provisioning and Access Control (e.g., by implementing federated Identity and Access Management arrangements). (CF.05.01.07c, The Standard of Good Practice for Information Security)
  • Customer access arrangements should take into account relevant technical aspects, including the effectiveness of the technical infrastructure in restricting individuals to agreed capabilities. (CF.05.01.07d, The Standard of Good Practice for Information Security)
  • Customer access contracts should be kept up-to-date. (CF.05.01.10b-3, The Standard of Good Practice for Information Security)
  • Customer access standards / procedures should be reviewed regularly (e.g., by an Information Security specialist) to ensure that risks remain within an agreed, acceptable limit. (CF.05.01.10c-2, The Standard of Good Practice for Information Security)
  • Customer access should be subject to a sign-on process before access to business applications is granted. (CF.05.03.06, The Standard of Good Practice for Information Security)
  • Access Control arrangements should cover access by all types of individual (e.g., business users, individuals running systems, it specialists, such as technical support staff and individuals from external parties). (CF.06.01.03a, The Standard of Good Practice for Information Security)
  • Access Control arrangements should cover access to all types of software (e.g., application software and System Software). (CF.06.01.03b-2, The Standard of Good Practice for Information Security)
  • Access Control arrangements should restrict the system capabilities that can be accessed (e.g., by providing menus that enable access only to the particular capabilities needed to fulfill a defined role). (CF.06.01.04b, The Standard of Good Practice for Information Security)
  • Access to business applications should be restricted by using access control mechanisms, such as passwords, tokens, or biometrics. (CF.06.03.01-1, The Standard of Good Practice for Information Security)
  • Access to networks should be restricted by using access control mechanisms, such as passwords, tokens, or biometrics. (CF.06.03.01-3, The Standard of Good Practice for Information Security)
  • Access to computing devices should be restricted by using access control mechanisms, such as passwords, tokens, or biometrics. (CF.06.03.01-4, The Standard of Good Practice for Information Security)
  • Identity and Access Management arrangements shall be developed to improve the integrity of user information by making this information readily available for users to validate (e.g., by using an electronic information database or directory, such as white pages). (CF.08.02.05a, The Standard of Good Practice for Information Security)
  • Access control arrangements should be upgraded in response to new capabilities. (CF.06.01.10b-2, The Standard of Good Practice for Information Security)
  • Physical servers that are used to host Virtual Servers should be protected by restricting physical and logical access to authorized individuals (e.g., administrators). (CF.07.03.03b, The Standard of Good Practice for Information Security)
  • Physical servers that are used to host Virtual Servers should be protected by requiring authorization when any access is needed (e.g., by the administrator(s), owner(s), or business user(s) of the physical or virtual servers). (CF.07.03.03c, The Standard of Good Practice for Information Security)
  • Portable storage devices should be protected by the use of access control mechanisms (e.g., by the use of UserID and password, tokens, or biometrics). (CF.14.04.03a, The Standard of Good Practice for Information Security)
  • Business applications should be protected against unauthorized access to information by employing secure defaults (e.g., requiring authentication and recording user activity in an event log as a preselected option). (CF.04.01.02c, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the relationship with customers to be granted access (from well-known, established customers to new, unknown organizations). (CF.05.01.06a, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the types of business process to be performed by customers (e.g., information retrieval, order submission, or funds transfer). (CF.05.01.06b, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the restrictions imposed by legal or regulatory requirements (e.g., basel iii, Sarbanes-Oxley Act, or the Payment Card Industry Data Security Standard). (CF.05.01.06c, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the controls required to protect Personally Identifiable Information. (CF.05.01.06d, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the need for information classification definitions and protection levels to be compatible. (CF.05.01.06e-1, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the need for information classification definitions and protection levels to be consistent. (CF.05.01.06e-2, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the information security implications of providing services to customers in different legal jurisdictions. (CF.05.01.06f, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the lack of direct control over individuals or system components used by customers. (CF.05.01.06g, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant business aspects, including the obligations to customers (e.g., to provide a reliable service and supply timely, accurate information). (CF.05.01.06h, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant technical aspects, including the types of connection to business applications (e.g., leased line, Internet, mpls, or isdn). (CF.05.01.07b, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant technical aspects, including the need for user provisioning and Access Control (e.g., by implementing federated Identity and Access Management arrangements). (CF.05.01.07c, The Standard of Good Practice for Information Security, 2013)
  • Customer access arrangements should take into account relevant technical aspects, including the effectiveness of the technical infrastructure in restricting individuals to agreed capabilities. (CF.05.01.07d, The Standard of Good Practice for Information Security, 2013)
  • Customer access contracts should be kept up-to-date. (CF.05.01.10b-3, The Standard of Good Practice for Information Security, 2013)
  • Customer access standards / procedures should be reviewed regularly (e.g., by an Information Security specialist) to ensure that risks remain within an agreed, acceptable limit. (CF.05.01.10c-2, The Standard of Good Practice for Information Security, 2013)
  • Customer access should be subject to a sign-on process before access to business applications is granted. (CF.05.03.06, The Standard of Good Practice for Information Security, 2013)
  • Access Control arrangements should cover access by all types of individual (e.g., business users, individuals running systems, it specialists, such as technical support staff and individuals from external parties). (CF.06.01.03a, The Standard of Good Practice for Information Security, 2013)
  • Access Control arrangements should cover access to all types of software (e.g., application software and System Software). (CF.06.01.03b-2, The Standard of Good Practice for Information Security, 2013)
  • Access Control arrangements should restrict the system capabilities that can be accessed (e.g., by providing menus that enable access only to the particular capabilities needed to fulfill a defined role). (CF.06.01.04b, The Standard of Good Practice for Information Security, 2013)
  • Access to business applications should be restricted by using access control mechanisms, such as passwords, tokens, or biometrics. (CF.06.03.01-1, The Standard of Good Practice for Information Security, 2013)
  • Access to networks should be restricted by using access control mechanisms, such as passwords, tokens, or biometrics. (CF.06.03.01-3, The Standard of Good Practice for Information Security, 2013)
  • Access to computing devices should be restricted by using access control mechanisms, such as passwords, tokens, or biometrics. (CF.06.03.01-4, The Standard of Good Practice for Information Security, 2013)
  • Identity and Access Management arrangements shall be developed to improve the integrity of user information by making this information readily available for users to validate (e.g., by using an electronic information database or directory, such as white pages). (CF.08.02.05a, The Standard of Good Practice for Information Security, 2013)
  • Access control arrangements should be upgraded in response to new capabilities. (CF.06.01.10b-2, The Standard of Good Practice for Information Security, 2013)
  • Physical servers that are used to host Virtual Servers should be protected by restricting physical and logical access to authorized individuals (e.g., administrators). (CF.07.03.03b, The Standard of Good Practice for Information Security, 2013)
  • Physical servers that are used to host Virtual Servers should be protected by requiring authorization when any access is needed (e.g., by the administrator(s), owner(s), or business user(s) of the physical or virtual servers). (CF.07.03.03c, The Standard of Good Practice for Information Security, 2013)
  • Portable storage devices should be protected by the use of access control mechanisms (e.g., by the use of UserID and password, tokens, or biometrics). (CF.14.04.04a, The Standard of Good Practice for Information Security, 2013)
  • Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client. (1.4.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • The remote access policy should include guidelines for removing access when outside and remote personnel cease employment, are transferred, or no longer require access to the system. (Action 1.1.7, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should control the use of administrative privileges. (Critical Control 12, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control access to network resources based on user identity. (IAM-04, Cloud Controls Matrix, v3.0)
  • User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned … (IAM-02, Cloud Controls Matrix, v3.0)
  • Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equi… (IAM-14, Cloud Controls Matrix, v4.0)
  • Logical Access Control and Audit. An organization should implement safeguards to enforce access control and audit. Safeguards in this area should be implemented to • restrict access to information, computers, networks, applications, system resources, files and programs, and • record details of e… (¶ 8.2.2, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The access control policy should state the security attributes the program uses in deciphering the access rules (when access is granted or denied). Examples of these security attributes are user identity, time of day, location, access control lists (ACLs), and role. The access control policy should … (§ 11.2, § F.2, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • An access control policy shall be established, documented and reviewed based on business and information security requirements. (A.9.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Access control policies should be addressed prior to giving a customer access to the organization's assets. Access to systems and applications should be restricted. Access can be further restricted by specifying which users have access to specific applications. (§ 6.2.2, § 11.6.1, ISO 27002 Code of practice for information security management, 2005)
  • Organizations processing personal health information shall have an access control policy governing access to these data. (§ 9.1.1 Health-specific control ¶ 2, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. (§ 9.1.1 Health-specific control ¶ 4, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. (§ 9.1.1 Health-specific control ¶ 3, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • An access control policy should be established, documented and reviewed based on business and information security requirements. (§ 9.1.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Does the information security policy cover computer and communications systems access and use? (§ B.1.12, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is there a process to request access to networks across network devices? (§ G.11.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there a process to approve access to networks across network devices? (§ G.11.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there a process to review access to networks across network devices? (§ G.11.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does access to electronic systems include a formal request and management approval? (§ H.2.4.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Are user access rights reviewed at least quarterly? (§ H.2.6, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • For cloud computing services, does the self-service ability to control access to application program interfaces include virtual private networks? (§ V.1.39.3.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, does the self-service ability to control access to application program interfaces include application access control, e.g., application access control lists? (§ V.1.39.3.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, does the self-service ability to control access to application program interfaces include client side certificate credentials? (§ V.1.39.3.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, does the self-service ability to control access to application program interfaces include multifactor authentication credentials? (§ V.1.39.3.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • If complying with these requirements imposes an undue burden, an agency shall provide individuals with disabilities with the data and information via an alternate means of access to allow them to use the data and information. (§ 1194.2(a)(1), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • An access control policy should be developed for each information system. (§ 2-3.a(2), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must implement user identification or authentication methods with encryption and data transmission processes to be sure that confidential data is delivered only to authorized parties. (§ 7 ¶ 2, HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (Supplement A § I.B.2(a), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must en… (§ 99.31(a)(1)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Federal agencies may not enter into a contract with a data broker in order to access any fee-based database that consists primarily of personally identifiable information about United States persons (other than telephone directories or news reports), unless the head of the agency or department adopt… (§ 403(b)(2)(A), § 403(b)(2)(B), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The designated approving authority must ensure that the use of User IDs and passwords is only used for system access or network access where the use of Department of Defense Public Key Infrastructure is cost prohibitive, not technologically feasible, or is unwarranted. The organization must document… (§ 3.4.3 ¶ AC34.168, DISA Access Control STIG, Version 2, Release 3)
  • The organization should make the integration of the Public Key Infrastructure, the Department of Defense Common Access Card, and other Common Access Card technologies an integral part of the Access Control solution. (§ 3.4.4.1 ¶ 3, DISA Access Control STIG, Version 2, Release 3)
  • Individuals who require access to sensitive information must have their access authorization processed in accordance with personnel security policies. (PRAS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Individuals who require access to sensitive information must have their access authorization processed in accordance with personnel security policies. (PRAS-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A mechanism must exist to determine the sensitivity of the data and the access levels granted to users. (§ 8-606.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The criminal justice information services systems officer shall establish, maintain, and enforce the standards for selecting, supervising, and separating personnel who have access to the criminal justice information. (§ 3.2.2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • All requests for access to criminal justice information shall be made as stated by the criminal justice information services systems officer. (§ 5.12.1.1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. (§ 3.2.9 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Standards for the selection, supervision, and separation of personnel who have access to CJI. (§ 3.2.2 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Standards for the selection, supervision, and separation of personnel who have access to CJI. (§ 3.2.2 ¶ 1 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Identify who is using the CSA approved hardware, software, and firmware and ensure no unauthorized individuals or processes have access to the same. (§ 3.2.9 ¶ 1 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Access control policies (e.g., identity-based policies, role-based policies, rule-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) shall be employed by agencies to control access between users (or processes acting on beh… (§ 5.5.2 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The NCIC hosts restricted files and non-restricted files. NCIC restricted files are distinguished from NCIC non-restricted files by the policies governing their access and use. Proper access to, use, and dissemination of data from restricted files shall be consistent with the access, use, and dissem… (§ 4.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Maintains a policy and implements related standards and procedures to identify users and restrict their access. (App A Objective 14:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management maintains policies and effectively controls and protects access to and transmission of information to avoid loss or damage. Review whether management does the following: (App A Objective 6.18, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Enforcement of access controls. (App A Objective 8.1.k, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management effectively provides secure customer access to financial services and plans for potential interruptions in service. Review whether management does the following: (App A Objective 6.25, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization should ensure the service provider has access to only the information and the systems needed to perform its duties. (Pg 29, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Assess staff access to PIN-related databases and determine if management restricts access to authorized personnel. Assess database maintenance activities to ensure management closely supervises and logs staff access. (App A Tier 2 Objectives and Procedures B.9, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should restrict access to the payment messaging system to a need-to-know basis. Access to the payment application and data should be restricted based on job duties. (Pg 17, Exam Tier II Obj 2.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Access controls on customer information systems should be implemented by financial institutions. (Supplement A.II ¶ 1, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
  • (AC-3.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Access control policy [FedRAMP Assignment: at least annually]; and (AC-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Access control policy [FedRAMP Assignment: at least every 3 years]; and (AC-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Access control policy [FedRAMP Assignment: at least every 3 years]; and (AC-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (AC-1c.1., FedRAMP Security Controls High Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (AC-1c.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (AC-1c.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • (§ 4.01(1)(b), IRS Revenue Procedure: Retention of books and records, 97-22)
  • § 4.8.1 Bullet 1: Establish whether internal staff resources or external consultants will conduct the evaluation of ePHI security policies and procedures. § 4.16.3 Bullet 3: Establish a formal set of integrity requirements based on an analysis of ePHI security assessments. § 4.21.1 Bullet 2: Eval… (§ 4.8.1 Bullet 1, § 4.16.3 Bullet 3, § 4.21.1 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The number of unauthorized access attempts will be reduced, if the general information stated in section 3.1.2 about incident prevention is applied. The recommended practice to reduce unauthorized access incidents is to employ a strong layered defense strategy. Table 6-1 lists steps to support a lay… (§ 6.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AT-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Cryptographic modules may require authentication mechanisms for authenticating an operator who is accessing the cryptographic module and verifying that the operator is authorized. The cryptographic module shall support role-based authentication and/or identity-based authentication. For role-based au… (§ 4.3.3 ¶ 1, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • If the organization controls access to physical and logical federal resources, it shall determine the appropriate level of identity assurance that is required for access. (§ 6.1 ¶ 3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Creating and defining a computer security program, setting organizational strategic directions, assigning responsibilities and addressing compliance issues are all called for. A central security program is also called for. In general, the idea is to include a stable program management function, exis… (§ 3.1.1, § 3.2.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The access control policy should be examined to ensure all access control mechanisms are configured according to the policy. Organizational records and documents should be examined to ensure user activities are consistently reviewed and supervised and specific responsibilities and actions are define… (AC-3.2, AC-13.4, AC-13.5, AC-13.6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • An organization must be aware of its system security plan responsibilities. Organizations should develop policies on how to develop a system security planning process. The chief information officer should be responsible for developing and maintaining an agency-wide information security program. Info… (§ 1.7, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization may use access control policies and access enforcement mechanisms to control Access to Personally Identifiable Information. (§ 4.3 Bullet Access Enforcement (AC-3), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must review and update the Access Control security policy on an organizationally defined frequency. (SG.AC-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The access control policy should include how the organization's personnel and assets are protected. (SG.AC-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The access control policy should include the scope of the program in relation to staff, contractors, and third parties. (SG.AC-1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must establish the Terms and Conditions for accessing the smart grid Information System from an external system. (SG.AC-18 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop, document, disseminate, and periodically review and update an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination within the organization, and compliance. (App F § AC-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use replay-resistant authentication mechanisms for the network to access privileged accounts. (App F § IA-2(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use replay-resistant authentication mechanisms for the network to access non-privileged accounts. (App F § IA-2(9), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should provide a readily available logout capability when authentication is used to gain access to web pages. (App F § SC-23(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Public access to the Industrial Control System is generally not allowed. (App I § SC-14, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization reviews and updates the current access control policy {organizationally documented frequency}. (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs an audited override of automated access control mechanisms under {organizationally documented conditions}. (AC-3(10), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current access control policy {organizationally documented frequency}. (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current access control policy {organizationally documented frequency}. (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current access control policy {organizationally documented frequency}. (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (IA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (AC-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] access control policy that: (AC-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (AC-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Access control policy [Assignment: organization-defined frequency]; and (AC-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties (PR.AA-05, The NIST Cybersecurity Framework, v2.0)
  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means; (Supp A § I. B. 2.(a), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(2), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity's Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (§ 500.02 Cybersecurity Program (b)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • use defensive infrastructure and the implementation of policies and procedures to protect the covered entity's information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts; (§ 500.2 Cybersecurity Program (b)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • Access control policy [TX-RAMP Assignment: at least every 3 years]; and (AC-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (AC-1a.1., TX-RAMP Security Controls Baseline Level 2)
  • Access control policy [TX-RAMP Assignment: at least every 3 years]; and (AC-1b.1., TX-RAMP Security Controls Baseline Level 2)
  • An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must en… (§ 99.31(a)(1)(ii), 34 CFR Part 99, Family Educational Rights and Privacy)