>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.1.5Access Control - Derived

Derived Requirement

>Control Description

Employ the principle of least privilege, including for specific security functions and privileged accounts.

>Discussion

Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege.

Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems.

Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.

>Cross-Framework Mappings

CMMC

AC.L2-3.1.5
Compare

SCF

IAC-16
Compare
IAC-16.1
Compare
IAC-21
Compare
IAC-21.1
Compare
IAC-21.3
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your least privilege policy and standard?
  • How do you determine minimum necessary privileges for each role?
  • What process governs privilege escalation requests?
  • How often are user privileges reviewed and right-sized?
  • Who approves exceptions to least privilege requirements?

Technical Implementation:

  • How do you technically enforce least privilege access?
  • What controls prevent users from having excessive permissions?
  • How are default administrator accounts restricted or disabled?
  • What mechanisms enforce temporary privilege elevation when needed?
  • How do you implement just-in-time privileged access?

Evidence & Documentation:

  • Can you show user permission matrices demonstrating least privilege?
  • What evidence exists of regular privilege reviews and reductions?
  • Can you provide examples of privilege escalation approvals?
  • What audit findings show users only have necessary access?
  • What reports track privileged account usage?

Ask AI

Configure your API key to use AI features.