Control: The organisation employs the principle of least privilege, allowing only authorised accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organisational missions and business functions.
Supplemental Guidance: Organisations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organisational missions/business functions. Organisations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organisations also apply least privilege to the development, implementation, and operation of organisational information systems.
Least Privilege Control Enhancements:
A-6 (1) Least Privilege - Authorise access to security functions
The organisation explicitly authorises access to [Assignment: organisation-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].
A-6 (2) Least Privilege - Non privileged access for non-security functions
The organisation requires that users of information system accounts, or roles, with access to [Assignment: organisation-defined security functions or security-relevant information], use non- privileged accounts or roles, when accessing non-security functions.
A-6 (3) Least Privilege - Network access to privileged commands
The organisation authorises network access to [Assignment: organisation-defined privileged commands] only for [Assignment: organisation-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.
A-6 (4) Least Privilege - Separate processing domains
The information system provides separate processing domains to enable finer-grained allocation of user privileges.
A-6 (5) Least Privilege - Privileged accounts
The organisation restricts privileged accounts on the information system to [Assignment: organisation-defined personnel or roles].
A-6 (6) Least Privilege - Privileged access by non-organisational users
The organisation prohibits privileged access to the information system by non-organisational users.
A-6 (7) Least Privilege - Review of user privileges
The organisation:
(a) Reviews [Assignment: organisation-defined frequency] the privileges assigned to [Assignment: organisation-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassigns or removes privileges, if necessary, to correctly reflect organisational mission/business needs.
A-6 (8) Least Privilege - Privilege levels for code execution
The information system prevents [Assignment: organisation-defined software] from executing at
higher privilege levels than users executing the software.
A-6 (9) Least Privilege - Auditing use of privileged functions
The information system audits the execution of privileged functions.
A-6 (10) Least Privilege - Prohibit non-privileged users from executing privileged functions
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.