Navigate

CCI-003614

CCI-003614 Definition

Require organization-defined prerequisites and criteria for role membership.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if [AC-02_ODP[01]; prerequisites and criteria for group and role membership are defined] for group and role membership are required.

Validation Procedures

Examine: [SELECT FROM: Access control policy; personnel termination policy and procedure; personnel transfer policy and procedure; procedures for addressing account management; system design documentation; system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of recently disabled system accounts and the name of the individual associated with each account; list of conditions for group and role membership; notifications of recent transfers, separations, or terminations of employees; access authorization records; account management compliance reviews; system monitoring records; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for account management on the system; mechanisms for implementing account management].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003614.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.

Control

Description

AC-2

a: Define and document the types of accounts allowed and specifically prohibited for use within the system;

b: Assign account managers;

c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership;

d: Specify:
- 1: Authorized users of the system;
- 2: Group and role membership; and
- 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account;

e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts;

f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;];

g: Monitor the use of accounts;

h: Notify account managers and [personnel or roles to be notified is/are defined;] within:
- 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required;
- 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and
- 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual;

i: Authorize access to the system based on:
- 1: A valid access authorization;
- 2: Intended system usage; and
- 3: [attributes needed to authorize system access (as required) are defined;];

j: Review accounts for compliance with account management requirements [the frequency of account review is defined;];

k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

l: Align account management processes with personnel termination and transfer processes.