7.2.1 An access control model is defined and includes granting access as follows:

Defined Approach Requirements

7.2.1 An access control model is defined and includes granting access as follows:

• Appropriate access depending on the entity's business and access needs.
• Access to system components and data resources that is based on users' job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function.

Customized Approach Objective

Access requirements are established according to job functions following least-privilege and need-to-know principles.

Defined Approach Testing Procedures

7.2.1.a Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement.

7.2.1.b Examine access control model settings and verify that access needs are appropriately defined in accordance with all elements specified in this requirement.

Purpose

Defining an access control model that is appropriate for the entity's technology and access control philosophy supports a consistent and uniform way of allocating access and reduces the possibility of errors such as the granting of excessive rights.

Good Practice

A factor to consider when defining access needs is the separation of duties principle. This principle is intended to prevent fraud and misuse or theft of resources. For example, 1) dividing mission-critical functions and information system support functions among different individuals and/or functions, 2) establishing roles such that information system support activities are performed by different functions/individuals (for example, system management, programming, configuration management, quality assurance and testing, and network security), and 3) ensuring security personnel administering access control functions do not also administer audit functions.

In environments where one individual performs multiple functions, such as administration and security operations, duties may be assigned so that no single individual has end-to-end control of a process without an independent checkpoint. For example, responsibility for configuration and responsibility for approving changes could be assigned to separate individuals.

Definitions

Key elements of an access control model include:

• Resources to be protected (the systems/devices/data to which access is needed),
• Job functions that need access to the resource (for example, system administrator, call-center personnel, store clerk), and
• Which activities each job function needs to perform (for example, read/write or query).

Once job functions, resources, and activities per job functions are defined, individuals can be granted access accordingly.

Examples

Access control models that entities can consider include role-based access control (RBAC) and attribute-based access control (ABAC). The access control model used by a given entity depends on their business and access needs.