Access Control
Requirement to restrict system and data access based on defined roles, responsibilities, and the principle of least privilege.
What Counts
- Role-based access control (RBAC) implementation
- Regular access reviews and recertification
- Segregation of duties enforcement
- Audit logging of access events
What Does Not Count
- Shared credentials or service accounts without oversight
- Access granted without documented justification
Implementing Frameworks
| Framework | Scope | Status | Provisions |
|---|---|---|---|
| ISO 27001 | International | active | 1 |
| NIST Cybersecurity Framework | Federal | active | 1 |