CCI-002230

Review, on an organization-defined frequency, the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges.

Implementation Guidance

Determine if privileges assigned to [AC-06(07)_ODP[02]; roles or classes of users to which privileges are assigned are defined] are reviewed [AC-06(07)_ODP[01]; the frequency at which to review the privileges assigned to roles or classes of users is defined] to validate the need for such privileges.

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated roles or classes of users and assigned privileges; system design documentation; system configuration settings and associated documentation; validation reviews of privileges assigned to roles or classes or users; records of privilege removals or reassignments for roles or classes of users; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Mechanisms implementing review of user privileges].

The controls below (if any) were marked by NIST as being related to CCI-002230.