Access Authorizations from Cybersecurity Fundamentals 2.0 framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

PR.AA-05.8

PR.AA-05.8: Account usage restrictions for specific time periods and locations shall be taken into account in the organisation's security access policy and applied accordingly.

Account usage restrictions for specific time periods and locations shall be taken into account in the organisation's security access policy and applied accordingly.

Description

Account usage restrictions for specific time periods and locations shall be taken into account in the organisation's security access policy and applied accordingly.

PR.AA-05.9

PR.AA-05.9: Privileged users shall be managed, monitored and audited.

Privileged users shall be managed, monitored and audited.

Description

Privileged users shall be managed, monitored and audited.

PR.AA-05.1

PR.AA-05.1: Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed.

Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed.

Description

Access permissions, rights, and authorisations shall be defined, managed, enforced and reviewed.

PR.AA-05.2

PR.AA-05.2: It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access.

It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access.

Description

It shall be determined who needs access to the organisation's business-critical information and technology and the means to gain access.

PR.AA-05.3

PR.AA-05.3: Access rights, privileges and authorisations must be restricted to the systems and specific information needed to perform the tasks (the principle of Least Privilege).

Access rights, privileges and authorisations must be restricted to the systems and specific information needed to perform the tasks (the principle of Least Privilege).

Description

Access rights, privileges and authorisations must be restricted to the systems and specific information needed to perform the tasks (the principle of Least Privilege).

PR.AA-05.4

PR.AA-05.4: No-one shall have administrative privileges for routine day-to-day tasks.

No-one shall have administrative privileges for routine day-to-day tasks.

Description

No-one shall have administrative privileges for routine day-to-day tasks.

PR.AA-05.5

PR.AA-05.5: Where technically, operationally, and economically feasible—without compromising system integrity, safety, or compliance—automated mechanisms shall be implemented to manage user accounts on critical ICT and OT systems. Feasibility shall be determined based on system capabilities, integration potential, risk assessment, and business impact.

Where technically, operationally, and economically feasible—without compromising system integrity, safety, or compliance—automated mechanisms shall be implemented to manage user accounts on critical ICT and OT systems. Feasibility shall be determined based on system capabilities, integration potential, risk assessment, and business impact.

Description

PR.AA-05.6

PR.AA-05.6: Separation of duties (SoD) shall be ensured in the management of access rights.

Separation of duties (SoD) shall be ensured in the management of access rights.

Description

Separation of duties (SoD) shall be ensured in the management of access rights.

PR.AA-05.7

PR.AA-05.7: Privileged users shall be managed and monitored.

Privileged users shall be managed and monitored.

Description

Privileged users shall be managed and monitored.