Overview
Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel.
Threat
Lack of proper access controls would allow unauthorized users to gain access to the system. This implementation guide is aimed to help system administrator to implement proper access controls based on user privileges.
Guidance
1. The system, database, and/or application administrators shall create user accounts only upon approval of System Access Request by authorized personnel (e.g., user manager/supervisor/IAM/IAO).
2. The system, database, and/or application administrators shall determine user privileges required to perform their job functions.
3. The system, database, and/or application administrators shall configure the system software (e.g., operating system, database, and application) to which users have access to read or modify data to perform job functions in accordance with DISA STIGs applicable to the software based on the least privileges and need to know.
DoD classifies this control in the subject area of “Enclave Computing Environment” with a impact of “Medium”.