Funded in part through a cooperative agreement with the U.S. Small Business Administration through
The University of Mississippi. All opinions, conclusions or recommendations expressed are those of the author(s) and do
not necessarily reflect the views of the SBA or The University of Mississippi.
AC.1.001: Limit information system access to authorized users, processes
acting on behalf of authorized users, or devices (including other information systems).
Overview
This requirement focuses on account management for systems and applications.
Access Control Policies
Control access between active entities or subjects and passive entities or objects in systems
Access Control
The process of granting or denying resources such as information, processing services, or access to company facilities.
Logical Access Control
Refer to tools and protocols for managing interactions with computer systems.
Prescribes the type of access that is allowed for users, processes, or devices
Controls can be built in a number of different ways:
Internal to the operating system
Written into applications
Designed within products such as communication systems or databases
User Access Security
Refers to the set of procedures by which authorized users access the system and unauthorized users are prevented accessing the system.
Assessment Questions
Does the company use passwords?
Does the company have an authentication mechanism?
Does the company require users to logon to gain access?
Are account requests authorized before system access is granted?
Does the company maintain a list of authorized users, defining their identity and role and sync with system, application, and data layers?
Actions
Control who can use company computers and who can log on to the company network.
Require usernames and passwords or other authentication methods before allowing access to system resources.
Limit the services and devices, like printers, that can be accessed by company computers.
Ensure accounts for users are properly authorized before system access is granted.
Manage a comprehensive list of all authorized users and job roles and sync with applications or devices responsible for making access decisions.
Set up your system so that unauthorized users and devices cannot get on the company network.
Relevant Personnel
Employees with account management responsibilities
System/network administrators
Employees with responsibilities for managing remote access connections
Employees with information security responsibilities
Employees with access enforcement responsibilities
System developers
Scenarios
You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.
A coworker from the marketing department tells you their boss wants to buy a new multifunction printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.
AC.1.002: Limit information system access
to the types of transactions and functions that authorized users are permitted to execute.
Overview
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both.
System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary.
Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin.
In defining other account attributes, organizations consider system-related requirements (e.g system upgrades scheduled
maintenance,) and mission or business requirements (e.g time zone differences, customer requirements, remote access to support travel requirements).
Only allow the users that are permitted to perform actions to access those components of the system.
Users are restricted to only the part of a system that they are explicitly permitted to use.
Assessment Questions
Do you use access control lists to limit access to applications and data based on role and/or identity?
Does the system allow for the separation of access control rights and enforcement of those rights?
Actions
Implement access control lists that permit access to data/functionality based upon a user's role and/or identity.
Separate the duties of creating access control rights and enforcing those rights.
Helps to protect against potential rogue employees
Relevant Personnel
Personnel with account management responsibilities
System/network administrators
Personnel with responsibilities for managing remote access connections
Personnel with information security responsibilities
Personnel with access enforcement responsibilities
System developers
Scenario
You are in charge of payroll for the company and need access to certain company financial information and systems.
You work with IT to set up the system so that when users log onto the company's network, only those employees you allow
can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the
Shipping Department cannot access information about payroll or paychecks.
AC.1.003: Verify and control/limit connections to and use of external information systems.
Overview
This requirement also addresses the use of external systems for the processing, storage, or transmission of Federally Contracted Information
This includes accessing cloud services from organizational systems.
E.g. Infrastructure as a service, platform as a service, or software as a service
External Systems
Are systems or components of systems for which organizations typically have no direct supervision and authority over
External systems include personally owned systems, components, or devices and privately owned computing and communications devices
Assessment Questions
Are only authorized individuals permitted external access?
Are guidelines and restrictions placed on the use of personally owned or external system access?
Do those systems meet the security standards set by the company?
Are the number of access points to the system limited to allow for better monitoring of inbound and outbound network traffic?
Actions
Ensure via access control policies that only authorized individuals are permitted external access.
Establish restrictions for use of personally owned or external system access.
Ensure that any external systems meet the security standards set by the organization.
Create a limit for the number of connections that are permitted.
This helps with better monitoring of inbound and outbound network traffic
Relevant Personnel
Employees with responsibilities for defining terms and conditions for use of external information systems to access company systems
System/network administrators
Employees with information security responsibilities
Scenario
You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in
extra hours over the weekend to get it done. Part of the proposal includes Federal Contract Information, or FCI. FCI is
information that you or your company get from doing work for the Federal government. Because FCI is not shared publicly,
you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over
the weekend.
AC.1.004: Control information posted or processed on publicly accessible information systems.
Overview
This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication.
Individuals authorized to post CUI onto publicly accessible systems are designated.
The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.
Assessment Questions
Do only authorized employees post information on publicly accessible information systems?
Are authorized employees trained to ensure that CUI and non-public information is not posted?
Is public information reviewed annually to ensure that CUI and non-public information is not posted?
Is the proposed content of publicly accessible information reviewed prior to posting?
Actions
Create procedures that permit only authorized personnel to post information on publicly accessible information systems.
Implement training practices that teach authorized employees on the proper methods to ensure CUI and other sensitive company information is not posted.
Establish a review procedure before any post is submitted to ensure the content does not expose any CUI.
Relevant Personnel
Employees with responsibilities for managing publicly accessible information posted on company information systems
Employees with information security responsibilities
Scenario
You are head of marketing for your company and want to become better known by your customers. So, you decide to start
issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI
is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI,
you carefully review all information before posting it on the company website or releasing to the public. You allow only
certain employees to post to the website.