Back

Establish, implement, and maintain access control procedures.


CONTROL ID
11663
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access control program., CC ID: 11702

This Control has the following implementation support Control(s):
  • Implement out-of-band authentication, as necessary., CC ID: 10606
  • Grant access to authorized personnel or systems., CC ID: 12186
  • Disseminate and communicate the access control procedures to all interested personnel and affected parties., CC ID: 14123


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall define the procedures to authorize access to systems and resources and to review the access authorization. The organization shall establish procedures to renew the access authorization to keep the access authorizations up-to-date. (O18, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In practice, in addition to the personnel listed in the table, other individuals may be granted the access authorization as necessary and therefore, the methods for granting the access authorization in such case should be clearly defined. (P56.2. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For proper control of access to various resources and systems, it is essential to define the procedures for granting access authorization. The procedures should include the designation of approver of granting access authorization to users and mutually supervised approval procedure depending on the j… (P27.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The central control and monitoring station (central monitoring room, disaster control center, etc.) serves as the key center of the computer center in both normal and disaster states, as well as during other emergencies. Therefore, it is necessary to take disaster prevention measures for the station… (F81.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Establishing policies and conducting training to minimize the likelihood that organizational personnel would inadvertently disclose sensitive information regarding critical system design, operations, or security controls through social engineering attempts. Any requests for information by unknown pe… (Critical components of information security 24) viii. ¶ 1 n., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information; (Article 28(1)(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The FI should ensure that information processed, stored or transmitted between the FI and its customers is accurate, reliable and complete. With internet connection to internal networks, financial systems and devices may now be potentially accessed by anyone from anywhere at any time. The FI should … (§ 12.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • identification, authorisation and granting of access to information assets (refer to Attachment C for further guidance); (21(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • APRA envisages that a regulated entity would establish a clear allocation of responsibilities for monitoring processes, with appropriate tools in place to enable timely detection. Access controls and segregation of duties would typically be used as a means to safeguard the integrity of the monitorin… (69., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Databases should provide accountability for each user's actions while logged on to them through the use of controls. The use of privileged accounts should be controlled and accountable. Each Administrator should have his/her own individual account for administering the system. (§ 3.5.34, § 3.6.21, Australian Government ICT Security Manual (ACSI 33))
  • The organization should implement a non-persistent virtualized trusted operating environment that limits access to network File Shares for risky activities, such as web browsing and e-mail. (Mitigation Strategy Effectiveness Ranking 22, Strategies to Mitigate Targeted Cyber Intrusions)
  • Financial institutions should define, document and implement procedures for logical access control (identity and access management). These procedures should be implemented, enforced, monitored and periodically reviewed. The procedures should also include controls for monitoring anomalies. These proc… (3.4.2 31, Final Report EBA Guidelines on ICT and security risk management)
  • Accompanying technical and organisational measures shall be implemented to ensure that the requirements contained in the user access rights concepts cannot be circumvented. (II.5.30, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Procedures for allocation and revocation of access rights are established. (3.1.1 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • Access to network services is restricted to necessary access by means of suitable protective measures (see examples). (5.2.3 Requirements (should) Bullet 2, Information Security Assessment, Version 5.1)
  • (§ 4.2, OGC ITIL: Security Management)
  • Access for users should be restricted to resources they need to do their jobs. (§ IV.14, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are policies and procedures documented that are used for establishing and terminating access for consultants and employees? (Table Row IV.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Examine the written access control policy to verify it includes requirements 7.1.1 through 7.1.4. (Testing Procedures § 7.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for restricting access to cardholder data are documented. (Testing Procedures § 7.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for restricting access to cardholder data are implemented. (Testing Procedures § 7.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Security policies and operational procedures for restricting access to cardholder data must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Documented. (7.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (7.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (7.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures identified in Requirement 7 are managed in accordance with all elements specified in this requirement. (7.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are security policies and operational procedures for restricting access to cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 7.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security policies and operational procedures for restricting access to cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 7.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Documented. (7.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (7.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (7.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (7.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (7.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (7.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization should use permanent browser cookies to store non-sensitive cardholder information so cardholders do not have to reenter the information every time they come back to make purchases. (Pg 32, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Access controls for critical business applications or sensitive business applications should be strengthened by requiring the use of authentication hardware, such as physical smartcard readers, physical tokens, or smartphones. (CF.05.03.04b, The Standard of Good Practice for Information Security)
  • Access Control arrangements should be supported by documented standards / procedures. (CF.06.01.02, The Standard of Good Practice for Information Security)
  • Access Control standards and procedures should take account of requirements set by the owner of systems. (CF.06.01.02a-4, The Standard of Good Practice for Information Security)
  • Access Control standards and procedures should take account of contractual obligations. (CF.06.01.02a-6, The Standard of Good Practice for Information Security)
  • Access Control standards and procedures should take account of the need to achieve individual accountability. (CF.06.01.02b, The Standard of Good Practice for Information Security)
  • Access Control standards and procedures should take account of the need to apply additional control for users with special access privileges. (CF.06.01.02b, The Standard of Good Practice for Information Security)
  • Critical databases should be supported by documented standards / procedures, which covers protection of databases and the information they contain. (CF.13.03.01c, The Standard of Good Practice for Information Security)
  • Access controls for critical business applications or sensitive business applications should be strengthened by requiring the use of authentication hardware, such as physical smartcard readers, physical tokens, or smartphones. (CF.05.03.04b, The Standard of Good Practice for Information Security, 2013)
  • Access Control arrangements should be supported by documented standards / procedures. (CF.06.01.02, The Standard of Good Practice for Information Security, 2013)
  • Access Control standards and procedures should take account of requirements set by the owner of systems. (CF.06.01.02a-4, The Standard of Good Practice for Information Security, 2013)
  • Access Control standards and procedures should take account of contractual obligations. (CF.06.01.02a-6, The Standard of Good Practice for Information Security, 2013)
  • Access Control standards and procedures should take account of the need to apply additional control for users with special access privileges. (CF.06.01.02b, The Standard of Good Practice for Information Security, 2013)
  • Critical databases should be supported by documented standards / procedures, which covers protection of databases and the information they contain. (CF.13.03.01c, The Standard of Good Practice for Information Security, 2013)
  • Additional controls should be applied to special access privileges (e.g., 'root' in UNIX or 'Administrator' in Windows systems, powerful utilities, and privileges that can be used to authorise payments or perform financial transactions), which include maintaining a register of special access privile… (CF.06.01.08f, The Standard of Good Practice for Information Security, 2013)
  • Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. (1.4.4, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that access controls fail securely including when an exception occurs. (4.1.5, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed. (4.1.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Configure access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for centralized authentication as well. (Control 16.9, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Policy, process and procedure shall be established and implemented to safeguard intellectual property and the use of proprietary software within the legislative jurisdiction and contractual constraints governing the organization. (CO-06, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • User access policies and procedures shall be documented, approved and implemented for granting and revoking normal and privileged access to applications, databases, and server and network infrastructure in accordance with business, security, compliance and Service Level Agreement (sla) requirements. (IS-07, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems. (CIS Control 16: Sub-Control 16.2 Configure Centralized Point of Authentication, CIS Controls, 7.1)
  • Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems. (CIS Control 16: Sub-Control 16.2 Configure Centralized Point of Authentication, CIS Controls, V7)
  • Logical Access Control and Audit. An organization should implement safeguards to enforce access control and audit. Safeguards in this area should be implemented to • restrict access to information, computers, networks, applications, system resources, files and programs, and • record details of e… (¶ 8.2.2(1-4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 13.2 Secure Service Management should be implemented for network security. ¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and opera… (¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • During the establishment of a user session, a set of attributes should be used to determine the scope of the session security attributes. Examples of attributes include user identity, location, method of access, and time of access. Examples of session security attributes include integrity level, use… (§ 17.1, § L.1, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Procedures and policies for logical access control should address these needs on a temporary basis and should cover the following topics: authorization and creation of "guest" logical access control profile; usage timing and duration; activity log checking, and expiration. (§ 7.5.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. (A.9.4.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will becom… (§ 9.2.1 Health-specific control ¶ 1, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure. (§ 9.4.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Where required, the public cloud PII processor should provide secure log-on procedures for any accounts requested by the cloud service customer for cloud service users under its control. (§ 9.4.2 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Where required, the public cloud PII processor should provide secure log-on procedures for any accounts requested by the cloud service customer for cloud service users under its control. (§ 9.4.2 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals (for example, employees, contractors, vendors, business partner personnel) and inappropriate system or service accounts. Access roles and rules are modified, as appropri… (CC6.3 ¶ 2 Bullet 4 Reviews Access Roles and Rules, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control. (PR.DS-2.2, CRI Profile, v1.2)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should implement access procedures to restrict logical access to personal information and should prevent individuals from accessing personal information other than their own. Procedures should exist to restrict logical access to system configuration files, powerful utilities, securi… (ID 8.2.2, ID 8.2.2.e, ID 8.2.2.i, AICPA/CICA Privacy Framework)
  • Procedures exist to protect system resources from unauthorized access. (Security Prin. and Criteria Table § 3.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to protect system resources from unauthorized access. (Availability Prin. and Criteria Table § 3.7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to protect system resources from unauthorized access. (Processing Integrity Prin. and Criteria Table § 3.8, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to protect system resources from unauthorized access. (Confidentiality Prin. and Criteria Table § 3.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication, data destruction, system event monitoring and detection, and backup procedures (¶ 3.59 Bullet 9 Sub-Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading policy and procedure manuals, system documentation, flowcharts, narratives, asset management records, and other system documentation to understand IT policies and procedures and controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication… (¶ 3.50 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. (CC6.3 ¶ 2 Bullet 4 Reviews Access Roles and Rules, Trust Services Criteria, (includes March 2020 updates))
  • Logical access security software, infrastructure, and architectures have been implemented to support (CC5.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing Nonpublic Information; (Section 4.D ¶ 1(2)(g), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • establishing appropriate identity and access controls to a Member's systems and data, including media upon which information is stored; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 2, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Provisioned electronic access to electronic BCSI; and (CIP-004-7 Table R6 Part 6.1 Requirements 6.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Electronic access controls; (B. R1. 1.2 1.2.3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to: (Attachment 1 Section 3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Is there a process to grant and approve access to systems transmitting scoped systems and data? (§ H.2.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is there a process to grant and approve access to systems processing scoped systems and data? (§ H.2.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is there a process to grant and approve access to systems storing scoped systems and data? (§ H.2.4, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Are there documented policies, procedures, and controls to limit access based on need to know or minimum access necessary for its employees, agents, contractors, and others? (§ P.7.1, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Access to information on the building's operations, such as security system plans, schematics, emergency operations procedures, and mechanical and electrical systems, should be strictly controlled on an as needed basis. (Pg 14, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002)
  • CSR 2.2.1: The organization must implement procedures to verify access authorizations before physical access is granted to individuals. CSR 2.2.22: The organization must implement procedures for controlling access to software programs that are being tested or revised. CSR 2.9.1: CMS business partner… (CSR 2.2.1, CSR 2.2.22, CSR 2.9.1, CSR 2.11.1, CSR 2.11.2, CSR 10.10.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must implement centralized control of user access administrator functions. (CSR 2.9.16, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must ensure that access mechanisms are implemented that allow appropriate users access to information which is cleared for release to an international organization, foreign nation, or foreign coalition. (§ 3.3 ¶ AC33.020, DISA Access Control STIG, Version 2, Release 3)
  • The Records Management Application shall support simultaneous multi-user access to records, metadata, and all components of the Records Management Application. (§ C2.2.7.5, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application, in conjunction with the operating environment, shall ensure the individual's access criteria takes precedence when there is a difference between the individual's access criteria and a group's access criteria. (§ C4.1.19, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The system must use access control mechanisms to ensure that data is only accessed and changed by authorized personnel. (ECCD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must use access control mechanisms to ensure that data is only accessed and changed by authorized personnel. (ECCD-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A patient safety organization must have documented processes and procedures that address methods to prevent unauthorized access of patient safety work product. (§ 3.106(b)(3)(ii), 42 CFR Part 3, Patient Safety and Quality Improvements, Final Rule)
  • Policies and procedures shall be implemented to authorize access to electronic protected health information. The access authorization shall be consistent with the subpart E requirements. (§ 164.308(a)(4)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Technical policies and procedures shall be implemented to maintain electronic protected health information on electronic information systems to ensure only those persons or software programs that have been granted access are allowed access. (§ 164.312(a)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software, and media are physically protected through access control measures. (§ 5.9 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • If a record of any kind exists, access to CJI shall not be granted until the CSO or his/her designee reviews the matter to determine if access is appropriate. (§ 5.12.1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • If a felony conviction of any kind exists, the Interface Agency shall deny access to CJI. However, the Interface Agency may ask for a review by the CSO in extenuating circumstances where the severity of the offense and the time that has passed would support a possible variance. (§ 5.12.1 3.a., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • If the CSO or his/her designee determines that access to CJI by the person would not be in the public interest, access shall be denied and the person's appointing authority shall be notified in writing of the access denial. (§ 5.12.1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • IAM based on job type and access and appropriate authentication techniques. (App A Objective 9:1c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintains a policy and implements related standards and procedures to identify users and restrict their access. (App A Objective 14:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Authentication and security of access points. (AppE.7 Objective 3:4 f., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Access control procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (AC-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Access control procedures [FedRAMP Assignment: at least annually]. (AC-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Access control procedures [FedRAMP Assignment: at least annually]. (AC-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (AC-1c.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (AC-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (AC-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must develop, document, distribute, and continuously update an access control policy and procedures for implementing the access control security controls. The security controls include account management, least privilege, session locks, remote access, information flow, unsuccessful … (§ 5.6.1, Exhibit 4 AC-1, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Dual controls procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information; (§ 748 Appendix A. III.C.1.e., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Establish a formal policy for access control that will guide access control procedure development. (§ 4.14.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c 2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Parties responsible for controlling access to federal resources (both physical and logical) SHALL determine the appropriate assurance levels required for access based on the harm and impact to individuals and organizations that could occur as a result of errors in the authentication of the PIV cardh… (6.1 ¶ 3, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • The system configuration should be examined to see if users are able to perform actions without identifying and authenticating themselves in accordance with the access control policy and procedures. Test the system to ensure any actions that can be performed without identification and authenticatio… (AC-14.2, AC-14.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establish continuous monitoring tools and technologies access control process and procedures. (T0993, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with other internal and external partner organizations on target access and operational issues. (T0600, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should consider developing privacy policies and associated procedures for the Access rules for Personally Identifiable Information in the system. (§ 4.1.1 ¶ 1 Bullet 1, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must develop procedures to implement the Access Control security policy and the Access Control protection requirements. (SG.AC-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop and document procedures to implement and monitor the access control policy and associated access controls. (App F § AC-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should implement organization-defined measures to manage the risk of compromise as a result of individuals having accounts on multiple systems. (App F § IA-5(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Establish continuous monitoring tools and technologies access control process and procedures. (T0993, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with other internal and external partner organizations on target access and operational issues. (T0600, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization reviews and updates the current access control procedures {organizationally documented frequency}. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements {organizationally documented security safeguards} to manage the risk of compromise due to individuals having accounts on multiple information systems. (IA-5(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current access control procedures {organizationally documented frequency}. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current access control procedures {organizationally documented frequency}. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current access control procedures {organizationally documented frequency}. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. (SA-21(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures to facilitate the implementation of the access control policy and the associated access controls; (AC-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (AC-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Access control procedures [Assignment: organization-defined frequency]. (AC-1b.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied. (SA-21(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to … (Bullet 2: Access Rights and Controls, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information. (Section 27-62-4(d)(2) g., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Review of the scope of the secure access control measures at least annually or whenever there is a material change in the company's business practices that may affect the security, confidentiality or integrity of personal information; (§ 38a-999b(b)(2)(J), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Utilization of effective controls, which may include multifactor authentication procedures for any individual accessing nonpublic information; (Part VI(c)(4)(B)(vii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees or authorized individuals accessing nonpublic information (§ 8604.(d)(2) g., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Use effective controls, which may include multi-factor authentication procedures for any individual accessing nonpublic information; (§431:3B-203(2)(G), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Using effective controls, which may include multi-factor authentication procedures for any employees accessing nonpublic information. (Sec. 18.(2)(G), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Utilize effective controls, which may include multi-factor authentication procedures for authorized individuals accessing nonpublic information. (507F.4 4.b.(7), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Use effective controls, which may include multifactor authentication procedures for any individual accessing nonpublic information. (§2504.D.(2)(g), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Use effective controls, which may include multifactor authentication procedures, for individuals accessing nonpublic information; (§2264 4.B.(7), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Using effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information. (Sec. 555.(4)(b)(viii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • utilize effective controls, which may include multifactor authentication procedures for any authorized individual accessing nonpublic information; (§ 60A.9851 Subdivision 4(2)(vii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information; (§ 83-5-807 (4)(b)(vii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Utilize effective controls, which may include multi-factor authentication procedures for any individual accessing nonpublic information. (§ 420-P:4 IV.(b)(7), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Utilize effective controls, which may include multi-factor authentication procedures for employees accessing nonpublic information; (26.1-02.2-03. 4.b.(7), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Utilize effective controls, which may include multifactor authentication procedures for accessing nonpublic information; (Section 3965.02 (D)(2)(g), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • utilizing effective controls, which may include multifactor authentication procedures for an individual accessing nonpublic information; (SECTION 38-99-20. (D)(2)(g), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Utilize effective controls that may include multi-factor authentication procedures for authorized individuals accessing nonpublic information; (§ 56-2-1004 (4)(B)(vii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., TX-RAMP Security Controls Baseline Level 1)
  • Access control procedures [TX-RAMP Assignment: at least annually]. (AC-1b.2., TX-RAMP Security Controls Baseline Level 1)
  • Procedures to facilitate the implementation of the access control policy and associated access controls; and (AC-1a.2., TX-RAMP Security Controls Baseline Level 2)
  • Access control procedures [TX-RAMP Assignment: at least annually]. (AC-1b.2., TX-RAMP Security Controls Baseline Level 2)
  • Utilize effective controls, which may include multifactor authentication procedures for employees accessing nonpublic information. (§ 601.952(3)(b)7., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)