The principle of least privilege (for example, limiting administrative access for users and service accounts) is enforced
Context and Guidance: Accounts should be created and configured consistent with the principle of least privilege. The principle of least privilege is a security requirement that establishes limitations on authorised users only to the privileges they require to perform assigned tasks in accordance with their job responsibilities and roles and nothing more. The principle of least privilege also applies to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organisational missions and/or functions. In the context of this practice, it is imperative that organisations also apply the principle of least privilege when designing, developing, and implementing IT and OT systems, and ensuring that the mechanisms and controls used to implement the principle of least privilege are feasible and operate as designed. The design and construction of Zero Trust architectures, for example, must establish the principle of least privilege as a key requirement to meet the key objectives of this authentication approach.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-3a, ARCHITECTURE-3b, ARCHITECTURE-3c, ARCHITECTURE-3d, ARCHITECTURE-3h, ARCHITECTURE-3k.