Security Control Objective Assessment Methods

AC-1: Access Control Ensure formal policies and

Examine: Review documents.
Policy and procedures are documented, in
Interview: Speak with personnel.
Procedures place, and known.

Examine: Review procedures and

AC-2: Account Manage system accounts settings.
Management throughout their lifecycle. Test: Verify account management
functions.

Examine: Review configurations

AC-3: Access Enforce approved authorizations and lists.
Enforcement for system access. Test: Access attempts with
various permissions.

Examine: Review system/network

AC-4: Information Control information flow based
configurations.
Flow Enforcement on authorizations.
Test: Simulate data transfers.

Examine: Review
AC-5: Separation of Divide duties to reduce risk of
roles/documentation.
Duties misuse.
Interview: Query personnel.

Examine: Review privilege levels.

Provide minimum access
AC-6: Least Privilege Test: Attempt actions outside
necessary for duties.
normal responsibilities.
 Assessment Objects

Access control policy documents,

Training records, Approval
records.

User account lists, System

settings and logs, Records of
account changes.

System configuration files,

Access control lists, Audit logs.

Network configurations,
Data transfer logs, System
interfaces.

Role definitions, User access lists,

Policy enforcement mechanisms.

User privilege assignments,

System audit logs, Access control
policies.