Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Maturity Level 1

Maturity Level 2

Maturity Level 3

PR.AC-4.1

PR.AC-4.1: Access permissions for users to the organization’s systems shall be defined and managed.

The following should be considered:
Draw up and review regularly access lists per system (files, servers, software, databases, etc.), possibly through analysis of the Active Directory in Windows-based systems, with the objective of determining who needs what kind of access (privileged or not), to what, to perform their duties in the organization.
Set up a separate account for each user (including any contractors needing access) and require that strong, unique passwords be used for each account.
Ensure that all employees use computer accounts without administrative privileges to perform typical work functions. This includes separation of personal and admin accounts.
For guest accounts, consider using the minimal privileges (e.g. internet access only) as required for your business needs.
Permission management should be documented in a procedure and updated when appropriate.
Use 'Single Sign On' (SSO) when appropriate.

Description

Access permissions for users to the organization’s systems shall be defined and managed.

PR.AC-4.2

PR.AC-4.2: It shall be identified who should have access to the organization's business's critical information and technology and the means to get access.

Means to get access may include: a key, password, code, or administrative privilege.

Description

It shall be identified who should have access to the organization's business's critical information and technology and the means to get access.

PR.AC-4.3

PR.AC-4.3: Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).

The principle of Least Privilege should be understood as the principle that a security architecture should be designed so that each employee is granted the minimum system resources and authorizations that the employee needs to perform its function. Consider to:
Not allow any employee to have access to all the business’s information.
Limit the number of Internet accesses and interconnections with partner networks to the strict necessary to be able to centralize and homogenize the monitoring of exchanges more easily.
Ensure that when an employee leaves the business, all access to the business’s information or systems is blocked instantly.

Description

Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).

PR.AC-4.4

PR.AC-4.4: Nobody shall have administrator privileges for daily tasks.

Consider the following:
Separate administrator accounts from user accounts.
Do not privilege user accounts to effectuate administration tasks.
Create unique local administrator passwords and disable unused accounts.
Consider prohibiting Internet browsing from administrative accounts.

Description

Nobody shall have administrator privileges for daily tasks.

PR.AC-4.5

PR.AC-4.5: Where feasible, automated mechanisms shall be implemented to support the management of user accounts on the organisation's critical systems, including disabling, monitoring, reporting and deleting user accounts.

Consider separately identifying each person with access to the organization's critical systems with a username to remove generic and anonymous accounts and access.

Description

Where feasible, automated mechanisms shall be implemented to support the management of user accounts on the organisation's critical systems, including disabling, monitoring, reporting and deleting user accounts.

PR.AC-4.6

PR.AC-4.6: Separation of duties (SoD) shall be ensured in the management of access rights.

Separation of duties includes, for example:
dividing operational functions and system support functions among different roles.
conducting system support functions with different individuals.
not allow a single individual to both initiate and approve a transaction (financial or otherwise).
ensuring that security personnel administering access control functions do not also administer audit functions.

Description

Separation of duties (SoD) shall be ensured in the management of access rights.

PR.AC-4.7

PR.AC-4.7: Priviliged users shall be managed and monitored.

Description

Priviliged users shall be managed and monitored.

PR.AC-4.8

PR.AC-4.8: Account usage restrictions for specific time periods and locations shall be taken into account in the organization's security access policy and applied accordingly.

Specific restrictions can include, for example, restricting usage to certain days of the week, time of day, or specific durations of time.

Description

Account usage restrictions for specific time periods and locations shall be taken into account in the organization's security access policy and applied accordingly.

PR.AC-4.9

PR.AC-4.9: Priviliged users shall be managed, monitored and audited.

Description

Priviliged users shall be managed, monitored and audited.