IAC-20: Access Enforcement
Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of "least privilege."
Control Question: Does the organization enforce Logical Access Control (LAC) permissions that conform to the principle of "least privilege?"
General (43)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC6.1 |
| CSA CCM 4 | IAM-05 IAM-16 |
| GovRAMP Core | AC-06 |
| GovRAMP Low | AC-03 |
| GovRAMP Low+ | AC-03 AC-06 |
| GovRAMP Moderate | AC-03 AC-06 |
| GovRAMP High | AC-03 AC-06 |
| ISO 27002 2022 | 5.18 |
| ISO 27017 2015 | 9.2.6 9.4 |
| MITRE ATT&CK 10 | T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1005, T1021, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1025, T1036, T1036.003, T1036.005, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1041, T1047, T1048, T1048.001, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1053.006, T1053.007, T1055, T1055.008, T1055.009, T1056.003, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1070, T1070.001, T1070.002, T1070.003, T1071.004, T1072, T1078, T1078.002, T1078.003, T1078.004, T1080, T1087.004, T1090, T1090.003, T1091, T1095, T1098, T1098.001, T1098.002, T1098.003, T1098.004, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1114, T1114.002, T1133, T1134, T1134.001, T1134.002, T1134.003, T1134.005, T1136, T1136.001, T1136.002, T1136.003, T1185, T1187, T1190, T1197, T1199, T1200, T1205, T1205.001, T1210, T1213, T1213.001, T1213.002, T1213.003, T1218, T1218.002, T1218.007, T1218.012, T1219, T1222, T1222.001, T1222.002, T1484, T1485, T1486, T1489, T1490, T1491, T1491.001, T1491.002, T1495, T1498, T1498.001, T1498.002, T1499, T1499.001, T1499.002, T1499.003, T1499.004, T1505, T1505.002, T1505.003, T1505.004, T1525, T1528, T1530, T1537, T1538, T1539, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1543, T1543.001, T1543.002, T1543.003, T1543.004, T1546.003, T1546.004, T1546.013, T1547.003, T1547.004, T1547.006, T1547.007, T1547.009, T1547.011, T1547.012, T1547.013, T1548, T1548.002, T1548.003, T1550, T1550.002, T1550.003, T1552, T1552.002, T1552.005, T1552.007, T1553.003, T1556, T1556.001, T1556.003, T1556.004, T1557, T1557.001, T1557.002, T1558, T1558.001, T1558.002, T1558.003, T1558.004, T1559, T1559.001, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1563, T1563.001, T1563.002, T1564.004, T1565, T1565.001, T1565.003, T1567, T1569, T1569.001, T1569.002, T1570, T1572, T1574, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1574.012, T1578, T1578.001, T1578.002, T1578.003, T1580, T1599, T1599.001, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002, T1606, T1606.001, T1606.002, T1609, T1610, T1611, T1612, T1613, T1619 |
| NIST 800-53 R4 | AC-3 AC-6 |
| NIST 800-53 R4 (low) | AC-3 |
| NIST 800-53 R4 (moderate) | AC-3 AC-6 |
| NIST 800-53 R4 (high) | AC-3 AC-6 |
| NIST 800-53 R5 (source) | AC-3 AC-6 |
| NIST 800-53B R5 (low) (source) | AC-3 |
| NIST 800-53B R5 (moderate) (source) | AC-3 |
| NIST 800-53B R5 (high) (source) | AC-3 |
| NIST 800-82 R3 LOW OT Overlay | AC-3 |
| NIST 800-82 R3 MODERATE OT Overlay | AC-3 |
| NIST 800-82 R3 HIGH OT Overlay | AC-3 |
| NIST 800-161 R1 | AC-3 AC-6 |
| NIST 800-161 R1 C-SCRM Baseline | AC-3 |
| NIST 800-161 R1 Flow Down | AC-3 |
| NIST 800-161 R1 Level 2 | AC-3 |
| NIST 800-161 R1 Level 3 | AC-3 |
| NIST 800-171 R2 (source) | 3.1.1 |
| NIST 800-171A (source) | 3.1.1[a] 3.1.1[b] 3.1.1[c] 3.1.1[d] 3.1.1[e] 3.1.1[f] |
| NIST 800-171 R3 (source) | 03.01.01.c.03 03.01.01.d.01 03.01.01.d.02 03.01.02 03.01.03 03.01.04.b 03.01.05.a 03.01.05.b 03.01.06.a 03.09.02.b.02 |
| OWASP Top 10 2021 | A01:2021 |
| PCI DSS 4.0.1 (source) | 7.2.1 7.2.2 7.2.5 7.2.6 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 7.2.2 7.2.5 |
| PCI DSS 4.0.1 SAQ B (source) | 7.2.2 |
| PCI DSS 4.0.1 SAQ B-IP (source) | 7.2.2 |
| PCI DSS 4.0.1 SAQ C (source) | 7.2.2 7.2.5 |
| PCI DSS 4.0.1 SAQ C-VT (source) | 7.2.2 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 7.2.1 7.2.2 7.2.5 7.2.6 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 7.2.1 7.2.2 7.2.5 7.2.6 |
| SWIFT CSF 2023 | 1.2 2.10 5.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IAC-20 |
| SCF CORE ESP Level 1 Foundational | IAC-20 |
| SCF CORE ESP Level 2 Critical Infrastructure | IAC-20 |
| SCF CORE ESP Level 3 Advanced Threats | IAC-20 |
US (26)
APAC (4)
| Framework | Mapping Values |
|---|---|
| APAC India SEBI CSCRF | PR.AA.S15 |
| APAC Japan ISMAP | 9.2.6 9.4 |
| APAC New Zealand HISF 2022 | HHSP10 HHSP40 HML10 HML40 HMS07 HSUP09 |
| APAC New Zealand HISF Suppliers 2023 | HSUP09 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.01.01.C.03 03.01.01.D.01 03.01.01.D.02 03.01.02 03.01.03 03.01.04.B 03.01.05.A 03.01.05.B 03.01.06.A 03.09.02.B.02 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to enforce Logical Access Control (LAC) permissions that conform to the principle of "least privilege."
Level 1 — Performed Informally
Identification & Authentication (IAC) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Identity & Access Management (IAM) is decentralized where Active Directory (AD), or a similar technology, may be used to centrally manage identities and permissions, but asset/process owners are authorized to operate a decentralized access control program for their specific systems, applications and services.
- IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
- IT personnel identify and implement IAM cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
Level 2 — Planned & Tracked
Identification & Authentication (IAC) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Implement and maintain an Identity & Access Management (IAM) capability for all users to implement “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts. o Govern IAM technologies via RBAC to prohibit privileged access by non-organizational users, unless there is an explicit support contract for privileged IT support services.
- Logical Access Control (LAC) is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for logical access control.
- IT personnel:
- Active Directory (AD), or a similar technology, is primarily used to centrally manage identities and permissions with RBAC. Due to technical or business limitations, asset/process owners are empowered to operate a decentralized access control program for their specific systems, applications and services that cannot be integrated into AD.
- IAM controls are primarily administrative in nature (e.g., policies & standards) to manage accounts and permissions.
Level 3 — Well Defined
Identification & Authentication (IAC) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” Role Based Access Control (RBAC) practices for the management of user, group and system accounts, including privileged accounts.
- The Human Resources (HR) department governs personnel management operations and notifies IAM personnel of personnel role changes for RBAC-based provisioning and deprovisioning actions.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
- An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data privacy obligations are addressed to ensure secure configurations are designed, built and maintained.
- Active Directory (AD), or a similar technology, is used to centrally manage identities and permissions. Only by exception due to a technical or business limitation are solutions authorized to operate a decentralized access control program for systems, applications and services.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enforce Logical Access Control (LAC) permissions that conform to the principle of "least privilege."
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce Logical Access Control (LAC) permissions that conform to the principle of "least privilege."
Assessment Objectives
- IAC-20_A01 approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
- IAC-20_A02 the principle of least privilege is employed, allowing only authorized access for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
- IAC-20_A03 authorized users are identified.
- IAC-20_A04 processes acting on behalf of authorized users are identified.
- IAC-20_A05 devices (including other systems) authorized to connect to the system are identified.
- IAC-20_A06 system access is limited to authorized users.
- IAC-20_A07 system access is limited to processes acting on behalf of authorized users.
- IAC-20_A08 system access is limited to authorized devices (including other systems).
- IAC-20_A09 systems and system components included in the scope of the specified enhanced security requirements are identified.
- IAC-20_A10 systems and system components are included in the scope of the specified enhanced security requirements.
- IAC-20_A11 systems and system components that are not included in systems and system components are segregated in purpose-specific networks.
Technology Recommendations
Micro/Small
- Microsoft Active Directory (https://microsoft.com)
- Microsoft Entra (https://microsoft.com)
- AWS IAM (https://aws.amazon.com)
Small
- Microsoft Active Directory (https://microsoft.com)
- Microsoft Entra (https://microsoft.com)
- AWS IAM (https://aws.amazon.com)
Medium
- Microsoft Active Directory (https://microsoft.com)
- Microsoft Entra (https://microsoft.com)
- AWS IAM (https://aws.amazon.com)
Large
- Microsoft Active Directory (https://microsoft.com)
- Microsoft Entra (https://microsoft.com)
- AWS IAM (https://aws.amazon.com)
Enterprise
- Microsoft Active Directory (https://microsoft.com)
- Microsoft Entra (https://microsoft.com)
- AWS IAM (https://aws.amazon.com)