Title

System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities. (Cat II impact)

Discussion

Requirement: The IAO will ensure that all systems and devices employ a role-based Discretionary Access Control system used to control access to OAM&P / NM systems, the devices they manage, and their command classes for administrative and maintenance users commensurate with their assigned responsibilities. To ensure system security, all assigned administrator and maintenance user account privileges must be limited to perform their specific function. Furthermore, super user access is to be held to a minimum and assigned to only those most knowledgeable of the system.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-9055r1_rule

Vulnerability ID: V-8558

Group Title: SA account privileges are not limited per duties

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.