Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Sp800 53 Rev4 Appendix F Markup

Sp800 53 Rev4 Appendix F Markup

Ratings: (0)|Views: 17 |Likes:
Published by Michael Williams

More info:

Published by: Michael Williams on Feb 09, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/11/2013

pdf

text

original

 
 
The following provides a markup copy of Special Publication 800-53, Revision 4, AppendixF. If discrepancies are noted between the markup copy and the Initial Public Draft (IPD)released on February 28th, the IPD takes precedence.
 
Special Publication 800-53 Securityand PrivacyControls for Federal Information Systems and Organizations
________________________________________________________________________________________________
 APPENDIX F-AC PAGE F-4
 
 
Deleted:
Recommended
FAMILY:
ACCESS CONTROL
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
Control:
The organization develops, disseminates, and reviews/updates [
 Assignment: organization-defined frequency
]:a.
 
A formal, documented access control policy that addresses purpose, scope, roles,responsibilities, management commitment, coordination among organizational entities, andcompliance; andb.
 
Formal, documented procedures to facilitate the implementation of the access control policyand associated access controls.
Supplemental Guidance:
This controladdressestheestablishment of policy and procedures for the effective implementation of selected security controls and control enhancements in theACfamily.Policy and proceduresreflectapplicable federal laws, Executive Orders, directives, regulations,policies, standards, and guidance.Security programpolicies and proceduresat the organization levelmay make the need forsystem-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy fororganizations. Theprocedurescan beestablishedfor the security program in general and for particular informationsystems, if  needed.The organizational risk management strategy is a key factor inestablishingpolicyand procedures.Related control: PM-9.
Control Enhancements:
None.
References:
NIST Special Publications 800-12, 800-100.
Priority and Baseline Allocation:
 
 
P1
LOW
AC-1
MOD
AC-1
HIGH
AC-1
 AC-2 ACCOUNT MANAGEMENT
Control:
The organization manages information system accounts, including:a.
 
Identifying account types (e.g., individual,shared/ group, system, application, guest/anonymous, emergency, and temporary);b.
 
Establishing conditions for groupand rolemembership;c.
 
Specifyingauthorized users of the information system, groupandrole membership, and accountaccessauthorizations (i.e.,privileges) for each account; d.
 
Requiring approvalsby [
 Assignment: organization-defined personnel
]for requests tocreate  accounts;e.
 
Creating, enabling, modifying, disabling, and removing accounts(including adding anddeleting members from groups or roles); f.
 
Authorizingand monitoring the use of shared/group,guest/anonymous, emergency,and temporary accounts;g.
 
Notifying account managers:
-
When accounts (including shared/group, emergency, andtemporary accounts)are no longer required;
-
Whenusers are terminatedortransferred;or 
-
When individualinformation system usage or need-to-know changes;
 
Deleted:
CLASS:
TECHNICAL
Deleted:
is intended to produce
Deleted:
that are required
Deleted:
access control
Deleted:
are consistent with
Deleted:
Existing organizational
Deleted:
additional
Deleted:
access control
Deleted:
the organization. Access control
Deleted:
developed
Deleted:
system, when required.
Deleted:
the development of the access control
Deleted:
i.
Deleted:
Identifying
Deleted:
specifying
Deleted:
appropriate
Deleted:
establish
Deleted:
Establishing, activating
Deleted:
Specifically authorizing
Deleted:
when
Deleted:
and wheninformation system
Deleted:
 /need-to-share
 
Special Publication 800-53 Securityand PrivacyControls for Federal Information Systems and Organizations
________________________________________________________________________________________________
 APPENDIX F-AC PAGE F-5
 
 
Deleted:
Recommended
h.
 
Associating access authorizations andother attributes as required by the organizationwitheach information system account;i.
 
Granting access to the system based on:
-
A valid access authorization;
-
Intended system usage; and
-
Other attributes as required by the organizationor associated missions/business functions; j.
 
Reviewing accountsfor compliance with account management requirements[
 Assignment:organization-defined frequency
]; and k.
 
Establishing a process for modifying shared/group account credentials when individuals areremoved from the group.
Supplemental Guidance:
The identification of authorized users of the information system and thespecification of access privilegesreflectsthe requirements in other security controls in the securityplan. Users requiring administrative privileges on information system accounts receive additionalscrutiny byappropriateorganizationalpersonnel (e.g., system owner, mission/business owner, or chief information security officer)responsible for approving such accounts and privileged access.Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, forexample, restrictions on time-of-day, day-of-week, and point-of-origin. Temporary and emergencyaccounts are accounts intended for short-term use. Organizations establish temporary accounts as apart of normal account activation procedures when there is a need for short-term accounts withoutthe demand for immediacy in account activation. Organizations establish emergency accounts inresponse to crisis situations and with the need for rapid account activation. Therefore, emergencyaccount activation may bypass normal account authorization processes. Emergency and temporaryaccounts are not to be confused with infrequently used accounts (e.g., local login accounts used forspecial tasks defined by organizations or when network resources are unavailable). Such accountsremain available and are not subject to automatic termination dates. Conditions for disabling ordeactivating accounts include, for example: (i) when shared/group, emergency, or temporaryaccounts are no longer required; or (ii) when individuals are transferred or terminated.Relatedcontrols: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5,IA- 8,CM-5, CM-6,CM-11,MA-3, MA-4, MA-5,PL-4, SC-13, SI-9.
Control Enhancements:
(1)
ACCOUNT MANAGEMENT 
AUTOMATED SYSTEM ACCOUNT MANAGEMENT 
 
The organization employs automated mechanisms to support the management of informationsystem accounts.(2)
ACCOUNT MANAGEMENT 
REMOVAL OF TEMPORARY 
 / 
EMERGENCY ACCOUNTS 
 The information system automaticallyremovestemporary and emergency accounts after[
Assignment: organization-defined time period for each type of account 
].(3)
ACCOUNT MANAGEMENT 
DISABLE INACTIVE ACCOUNTS 
 The information system automatically disables inactive accounts after [
Assignment: organization- defined time period 
].
 
(4)
ACCOUNT MANAGEMENT 
AUTOMATED AUDIT ACTIONS 
 
The information system automatically audits account creation, modification,enabling,disabling,andremovalactions and notifies, as required,[
Assignment: organization-defined personnel 
]. 
Supplemental Guidance:
Related controls: AU-2, AU-12.
 (5)
ACCOUNT MANAGEMENT 
INACTIVITY LOGOUT 
 / 
TYPICAL USAGE MONITORING 
 The organizationrequiresthat users log out when [
Assignment: organization defined time-period of expected inactivity and/or description of when to log out 
].
Supplemental Guidance:
Related control: SI-4.
 
 
Deleted:
<#>Deactivating: (i) temporaryaccounts that are no longer required; and (ii)accounts of terminated or transferred users;¶Granting access to the system based on: (i) avalid access authorization; (ii) intended systemusage; and (iii)
Deleted:
is consistent with
Deleted:
officials
Deleted:
SA-7
Deleted:
terminates
Deleted:
termination
Deleted:
appropriate individuals.
Deleted:
Requires
Deleted:
<#>Determines normal time-of-day and duration usage forinformation system accounts;¶<#>Monitors for atypical usage ofinformation system accounts; and¶<#>Reports atypical usage todesignated organizational officials.¶

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->