IDSO-015: User access rights are granted according to the principle of least privilege

Description: Grant a user only sufficient rights and access to perform their duties, while following a least privilege model. Considerations beyond standard rights that should be granted and monitored for applications, devices and systems-

• Governance and segregation of duties
• Policy-based access and entitlements
• Administrative access and entitlements

For access and actions beyond their normal duties, monitoring and traceability should be enforced for applications, devices and systems.

Benefit: Prevents users from having elevated privileges beyond their job role and responsibilities. Reduces the threat landscape by limiting the use of over-privileged access or invalid/obsolete accounts for the purposes of access. Detecting and automatically resolving policy-violating account access to maintain continuous compliance.

Watch the deep dive webinar to learn more about this security outcome.

Implementation Approaches

• Define policies and controls to enforce appropriate access

Security Frameworks

NIST Cybersecurity Framework 1.1

• PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

NIST SP 800-207; Zero Trust Architecture

• 2.1.3: Access should also be granted with the least privileges needed to complete the task.
• 2.1.4: Least privilege principles are applied to restrict both visibility and accessibility.