Navigate

CCI-003939

CCI-003939 Definition

Defines the frequency with which to review and reevaluate system privileges.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - privileges are reviewed [CM-05(05)_ODP[01]; frequency at which to review privileges is defined]. - privileges are reevaluated [CM-05(05)_ODP[02]; frequency at which to reevaluate privileges is defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; user privilege reviews; user privilege recertifications; system component inventory; change control records; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for managing access restrictions to change; mechanisms supporting and/or implementing access restrictions for change].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003939.

Control	Description
CM-5(5)	(a): Limit privileges to change system components and system-related information within a production or operational environment; and (b): Review and reevaluate privileges [one of ].