Logical access requirements incorporate the principle of least privilege
Context and Guidance: The principle of least privilege is a security requirement that establishes limitations on authorised users only to the privileges they require to perform assigned tasks in accordance with their job responsibilities and roles and nothing more. Organisations employ the principle of least privilege when considering the assignment of access rights and controls for specific duties and systems (including specific functions, ports, protocols, and services). The principle of least privilege also applies to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organisational missions and/or functions. Organisations consider the principle of least privilege in the creation of additional processes, roles, and information system accounts as necessary. Organisations also apply the principle of least privilege to the design, development, implementation, and operations of IT and OT systems. Enforcing the principle of least privilege is an important consideration for implementation of Zero Trust principles.
Related Practices • Input From: Implementing ARCHITECTURE-3a provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ACCESS-2a, ACCESS-2c, ACCESS-2d, ACCESS-2e, ACCESS-2f.