3.1.6—Access Control - Derived
Derived Requirement
>Control Description
Use non-privileged accounts or roles when accessing nonsecurity functions
>Discussion
This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the use of non-privileged accounts?
- •Under what circumstances can privileged functions be executed?
- •What approval process exists for privileged account usage?
- •How do you ensure users operate with standard accounts by default?
- •What training do users receive on privileged vs non-privileged access?
Technical Implementation:
- •How do you enforce use of non-privileged accounts for routine tasks?
- •What technical controls require elevation for privileged functions?
- •How are privileged accounts separated from standard user accounts?
- •What mechanisms log and alert on privileged account usage?
- •How do you prevent users from operating with elevated privileges constantly?
Evidence & Documentation:
- •Can you demonstrate users logging in with standard accounts?
- •What logs show privilege elevation events and justifications?
- •What evidence proves privileged accounts are only used when necessary?
- •Can you provide reports on privileged vs non-privileged session activity?
- •What audit trails track privileged function execution?
Ask AI
Configure your API key to use AI features.