AC — Access Control
19 objectives in the Access Control domain
AC.L1-B.1.I[a]Authorized users are identified.
AC.L1-B.1.I[b]Processes acting on behalf of authorized users are identified.
AC.L1-B.1.I[c]Devices (and other systems) authorized to connect to the system are identified.
AC.L1-B.1.I[d]System access is limited to authorized users.
AC.L1-B.1.I[e]System access is limited to processes acting on behalf of authorized users.
AC.L1-B.1.I[f]System access is limited to authorized devices (including other systems).
AC.L1-B.1.II[a]The types of transactions and functions that authorized users are permitted to execute are defined.
AC.L1-B.1.II[b]System access is limited to the defined types of transactions and functions for authorized users.
AC.L1-B.1.III[a]Connections to external systems are identified.
AC.L1-B.1.III[b]The use of external systems is identified.
AC.L1-B.1.III[c]Connections to external systems are verified.
AC.L1-B.1.III[d]The use of external systems is verified.
AC.L1-B.1.III[e]Connections to external systems are controlled/limited.
AC.L1-B.1.III[f]The use of external systems is controlled/limited.
AC.L1-B.1.IV[a]Individuals authorized to post or process information on publicly accessible systems are identified.
AC.L1-B.1.IV[b]Procedures to ensure [FCI] is not posted or processed on publicly accessible systems are identified.
AC.L1-B.1.IV[c]A review process is in place prior to posting of any content to publicly accessible systems.
AC.L1-B.1.IV[d]Content on publicly accessible systems is reviewed to ensure that it does not include [FCI].
AC.L1-B.1.IV[e]Mechanisms are in place to remove and address improper posting of [FCI].