All privileged user accounts are established and administered in accordance with a role-based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web-administration). The IAM tracks privileged role assignments.
|MAC / CONF||Impact||Subject Area|
| MACI |
|High||Enclave Computing Environment|
|An organization’s network and the integrity of stored information are at risk if the control of actions, functions, applications and operations of legitimate users are not managed with a role-based access scheme. The unnecessary allocation and use of system privileges significantly increases the vulnerability of systems. Role-based systems are designed to minimize the potential for inside security violations by providing greater control over users' access to information and resources. Also, by assigning individuals to predefined roles, the administrative process of establishing privileges is streamlined and management time for reviewing privilege assignments is reduced.|
| 1. An analysis of how an organization operates shall be accomplished for the basis of defining user roles and privileges. |
2. Systems shall employ a role-based access scheme that enforces separation of duties and network privileges.
3. Privileged user accounts (administrators, root/super users on UNIX, routers and LAN servers, SANs, etc) shall be limited to the absolute minimum number needed to manage the system, and the IAM shall document all privileged role assignments.
4. Privileged user accounts shall be limited to the minimum number of privileges needed to perform their assigned duties.
5. Where technically possible, privileged users should initially log on with a personal user ID and only be granted privileged access by way of group assignment.
6. Privileged and guest accounts shall be renamed from any default.