AC-6(7)—Review Of User Privileges
MODERATE
HIGH
>Control Description
a. Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and b. Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
>Supplemental Guidance
The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.