Security Requirements for 03.01.05 Least Privilege

Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, access control lists, and audit information.

View CPRT 03.01.05

  1. 03.01.05.a

    Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.

  1. 03.01.05.b

    Authorize access to [Assignment: organization-defined security functions] and [Assignment: organization-defined security-relevant information].

  1. 03.01.05.c

    Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] to validate the need for such privileges.

  1. 03.01.05.d

    Reassign or remove privileges, as necessary.