Information Technology Reference
In-Depth Information
table D.2
Security Management plan Framework (SMp Framework)
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
Access Control
technical
AC
AC-1
Access control policy
and procedures
The organization develops,
disseminates, and periodically
reviews/updates: (i) a formal,
documented access control policy
that addresses purpose, scope,
roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and (ii) formal,
documented procedures to
facilitate the implementation of
the access control policy and
associated access controls.
Intentionally left
blank
AC-2
Account
management
Addresses the processes with
which to request, adjudicate,
grant/deny, create, maintain,
revoke, and delete system
accounts.
AC-3
Access enforcement
The organization manages
information system accounts,
including establishing, activating,
modifying, reviewing, disabling,
and removing accounts. The
organization reviews information
system accounts [assignment:
organization-defined frequency,
at least annually].
AC-4
Information flow
enforcement
The information system enforces
assigned authorizations for
controlling access to the system
in accordance with applicable
policy.
AC-5
Separation of duties
The information system enforces
separation of duties through
assigned access authorizations.
AC-6
Least privilege
The information system enforces
the most restrictive set of rights/
privileges or accesses needed by
users (or processes acting on
behalf of users) for the
performance of specified tasks.
