>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.1.2Access Control - Basic

Basic Requirement

>Control Description

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

>Discussion

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin.

In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

>Cross-Framework Mappings

CMMC

AC.L1-3.1.2
Compare

SCF

IAC-08
Compare
IAC-15
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern transactions and functions permitted for authorized users?
  • How do you determine which transactions each user role should perform?
  • What governance process approves changes to user transaction permissions?
  • How often are transaction permissions reviewed and validated?
  • Who oversees role-based access control definitions?

Technical Implementation:

  • How do you implement role-based access control technically?
  • What mechanisms enforce transaction limits per user role?
  • How are privileged functions separated from standard user functions?
  • What systems track which users can execute which transactions?
  • How do you prevent unauthorized transaction execution?

Evidence & Documentation:

  • Can you show role-function matrices for different user types?
  • What documentation defines permitted transactions per role?
  • Can you provide logs showing transaction authorization enforcement?
  • What evidence demonstrates that users cannot exceed authorized functions?
  • Where is the approval documentation for current transaction permissions?

Ask AI

Configure your API key to use AI features.