Back

Separate user functionality from system management functionality.


CONTROL ID
11858
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Secure access to each system component operating system., CC ID: 00551

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Database administrator accounts are used exclusively for administrative tasks, with standard database accounts used for general purpose interactions with databases. (Security Control: 1263; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Administrator workstations are placed into a separate network zone to user workstations. (Security Control: 1385; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Privileged user accounts are prevented from accessing the internet, email and web services. (Control: ISM-1175; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Privileged service accounts are prevented from accessing the internet, email and web services. (Control: ISM-1653; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Privileged user accounts are prevented from accessing the internet, email and web services. (Control: ISM-1175; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Privileged service accounts are prevented from accessing the internet, email and web services. (Control: ISM-1653; Revision: 0, Australian Government Information Security Manual, September 2023)
  • There are separate networks for the administrative management of the infrastructure and for the operation of management consoles, which are separated logically or physically by the network of the cloud customers and are protected against unauthorised access by means of multi-factor authentication (s… (Section 5.9 KOS-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Is administrative access to systems or hypervisor separate from access to client VMs and data stores? (Appendix D, Implement Strong Access Control Measures Bullet 5 Sub-bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Business applications should protect against unauthorized disclosure of sensitive information by ensuring that they enforce separation of privilege (e.g., by dividing application functions and splitting cryptographic keys). (CF.04.01.03b, The Standard of Good Practice for Information Security)
  • Business applications should protect against unauthorized disclosure of sensitive information by ensuring that they enforce separation of privilege (e.g., by dividing application functions and splitting cryptographic keys). (CF.04.01.03b, The Standard of Good Practice for Information Security, 2013)
  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities. (CIS Control 4: Sub-Control 4.3 Ensure the Use of Dedicated Administrative Accounts, CIS Controls, 7.1)
  • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities. (CIS Control 4: Sub-Control 4.3 Ensure the Use of Dedicated Administrative Accounts, CIS Controls, V7)
  • Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. (CIS Control 5: Safeguard 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts, CIS Controls, V8)
  • The applications and devices may generate audit records about events occurring in that application or device (see 6.10). Access to these audit logs is necessary to support filtering audit logs, identifying and removing information that is redundant, reviewing and reporting activity during after-the-… (10.3.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system isolates security functions from nonsecurity functions. (SC-3 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • CSR 2.5.9: The system must be configured to isolate security functions from non-security functions, and the security functions that enforce access and information control must be isolated and protected from the other security functions and non-security functions. CSR 4.1.2: The organization must div… (CSR 2.5.9, CSR 4.1.2, CSR 4.7.1, CSR 4.7.2, CSR 4.7.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Separate user functionality from system management functionality. (SC.3.181, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Separate user functionality from system management functionality. (SC.3.181, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Separate user functionality from system management functionality. (SC.3.181, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Separate user functionality from system management functionality. (SC.L2-3.13.3 Role Separation, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The data storage and management services must be logically or physically separated from the User Interface services by using different Operating System instances, different computers, different network addresses, different central processing units, combinations of these, or other methods. (DCPA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • User functionality shall be separated from the information system management functionality for applications, services, and Information Systems. (§ 5.10.3.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The application, service, or information system shall separate user functionality (including user interface services) from information system management functionality. (§ 5.10.3.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The application, service, or information system shall physically or logically separate user interface services (e.g. public web pages) from information storage and management services (e.g. database management). Separation may be accomplished through the use of one or more of the following: (§ 5.10.3.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Segregate the administrative duties for the host. (§ 5.10.3.2 ¶ 3(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The application, service, or information system shall separate user functionality (including user interface services) from information system management functionality. (§ 5.10.3.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The application, service, or information system shall physically or logically separate user interface services (e.g. public web pages) from information storage and management services (e.g. database management). Separation may be accomplished through the use of one or more of the following: (§ 5.10.3.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Segregate the administrative duties for the host. (§ 5.10.3.2 ¶ 3 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Performs administrative activities from dedicated workstations. (App A Objective 13:3i, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Restricts and monitors administrator access to the OS. (App A Objective 13:6a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system isolates security functions from nonsecurity functions. (SC-3 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Isolate security functions from nonsecurity functions. (SC-3 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Separate user functionality, including user interface services, from system management functionality. (SC-2 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Separate user functionality, including user interface services, from system management functionality. (SC-2 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must ensure the front end interface of the system is separated from the back end processing and data storage. (§ 5.6.15, Exhibit 4 SC-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Isolate security functions from nonsecurity functions. (SC-3 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Separate user functionality, including user interface services, from system management functionality. (SC-2 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Separate user functionality, including user interface services, from system management functionality. (SC-2 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system isolates security functions from nonsecurity functions. (SC-3 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The smart grid Information System must separate non-security functions from security functions. (SG.SC-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should use hardware separation mechanisms to isolate security functions. (SG.SC-3 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should isolate the security functions from the non-security functions and other security functions. (SG.SC-3 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System must prevent unintended information or unauthorized information from being transferred by smart grid Information System resources. (SG.SC-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System must separate the management functionality from the user functionality. (SG.SC-29 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should prevent management-related functionality from being displayed on the general User Interface. (SG.SC-29 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Separate user functionality from information system management functionality. (3.13.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Separate user functionality from system management functionality. (3.13.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Separate user functionality from system management functionality. (3.13.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must segregate user access and services from Information System management and administration functions. (App F § SC-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System must segregate non-security functions from security functions. (App F § SC-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should prevent management-related functionality to appear on a general user interface. (App F § SC-2(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should use hardware separation mechanisms to isolate the security functions. (App F § SC-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should implement security functions as layered structures to minimize interactions between the layers and avoid dependence by lower levels on the functionality or correctness of higher layers. (App F § SC-3(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot separate user functionality from information system management functionality. (App I § SC-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support Security Function isolation. (App I § SC-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. (SC-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system isolates security functions from nonsecurity functions. (SC-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system utilizes underlying hardware separation mechanisms to implement security function isolation. (SC-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system isolates security functions from nonsecurity functions. (SC-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system isolates security functions from nonsecurity functions. (SC-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system isolates security functions from nonsecurity functions. (SC-3 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. (SC-3(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users. (SC-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Isolate security functions from nonsecurity functions. (SC-3 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Separate user functionality, including user interface services, from system management functionality. (SC-2 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent the presentation of system management functionality at interfaces to non-privileged users. (SC-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Minimize the number of nonsecurity functions included within the isolation boundary containing security functions. (SC-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Isolate security functions from nonsecurity functions. (SC-3 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Separate user functionality, including user interface services, from system management functionality. (SC-2 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prevent the presentation of system management functionality at interfaces to non-privileged users. (SC-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Minimize the number of nonsecurity functions included within the isolation boundary containing security functions. (SC-3(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system separates user functionality (including user interface services) from information system management functionality. (SC-2 Control, TX-RAMP Security Controls Baseline Level 2)