NIST SP 800-53 Rev.5 Acess control
Do you know your cybersecurity readiness? Take our 10 minutes assessment to know your compliance readiness.
0 Score! Get Final Report Restart Assessment
- 0 to 100 : You got lot to do… let’s get to work!
- 101 to 200 : You are almost there..
- 201 to 235 : You got this!
Policy and Procedures
Account Management
ACCESS ENFORCEMENT
Account Management | Automated Temporary and Emergency Account Management
NIST SP 800-53 Rev.5 Acess control
Your Score: 0 You got lot to do… let’s get to work!
- 0 to 100 : You got lot to do… let’s get to work!
- 101 to 200 : You are almost there..
- 201 to 235 : You got this!
Try our Cybersecurity Free Courses with Securetain.
Review your assessment questionnaire in the attachment.
| # | Question/Requirements | Rating |
|---|---|---|
POLICY AND PROCEDURES |
||
| 1 | Develop, document, and disseminate to Assignment: organization-defined personnel or roles:Selection (one or more): Organization-level; Mission/business process-level; System-level access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the access control policy and the associated access controls; Designate an Assignment: organization-defined official to manage the development, documentation, and dissemination of the access control policy and procedures; and Review and update the current access control:Policy Assignment: organization-defined frequency and following Assignment: organization-defined events; and Procedures Assignment: organization-defined frequency and following Assignment: organization-defined events. |
0 |
ACCOUNT MANAGEMENT |
||
| 2 | Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require Assignment: organization-defined prerequisites and criteria for group and role membership; Specify:Authorized users of the system; Group and role membership; and Access authorizations i.e., privileges and Assignment: organization-defined attributes as required for each account;Require approvals by Assignment: organization-defined personnel or roles for requests to create accounts;Create, enable, modify, disable, and remove accounts in accordance with Assignment: organization-defined policy, procedures, prerequisites, and criteria; Monitor the use of accounts; Notify account managers and Assignment: organization-defined personnel or roles within: Assignment: organization-defined time period] when accounts are no longer required;Assignment: organization-defined time period when users are terminated or transferred; and Assignment: organization-defined time period when system usage or need-to-know changes for an individual;Authorize access to the system based on:A valid access authorization;Intended system usage; andAssignment: organization-defined attributes as required;Review accounts for compliance with account management requirements Assignment: organization-defined frequency; Establish and implement a process for changing shared or group account authenticators if deployed when individuals are removed from the group; and Align account management processes with personnel termination and transfer processes. |
0 |
| 2(1) |
AUTOMATED SYSTEM ACCOUNT MANAGEMENT
Support the management of system accounts using [Assignment: organization-defined automated mechanisms] |
0 |
| 2(2) |
AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT
Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
0 |
| 2(3) |
Disable Accounts
Disable accounts within Assignment: organization-defined time period] when the accounts: Have expired;Are no longer associated with a user or individual; Are in violation of organizational policy; or or Have been inactive for Assignment: organization-defined time period |
0 |
| 2(4) |
Automated Audit Actions
Automatically audit account creation, modification, enabling, disabling, and removal actions. |
0 |
| 2(5) |
INACTIVITY LOGOUT
Require that users log out when Assignment: organization-defined time period of expected inactivity or description of when to log out. |
0 |
| 2(6) |
DYNAMIC PRIVILEGE MANAGEMENT
Implement Assignment: organization-defined dynamic privilege management capabilities. |
0 |
| 2(7) |
PRIVILEGED USER ACCOUNTS
Establish and administer privileged user accounts in accordance with Selection: a role-based access scheme; an attribute-based access scheme; Monitor privileged role or attribute assignments; Monitor changes to roles or attributes; and Revoke access when privileged role or attribute assignments are no longer appropriate. |
0 |
| 2(8) |
DYNAMIC ACCOUNT MANAGEMENT
Create, activate, manage, and deactivate Assignment: organization-defined system accounts dynamically. |
0 |
| 2(9) |
RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS
Only permit the use of shared and group accounts that meet Assignment: organization-defined conditions for establishing shared and group accounts. |
0 |
| 2(10) |
USAGE CONDITIONS
Enforce Assignment: organization-defined circumstances and or usage conditions for Assignment: organization-defined system accounts. |
0 |
| 2(11) |
ACCOUNT MONITORING FOR A TYPICAL USAGE
Monitor system accounts for Assignment: organization-defined atypical usage; and Report a typical usage of system accounts to Assignment: organization-defined personnel or roles. |
0 |
| 2(12) |
DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUAL
Disable accounts of individuals within Assignment: organization-defined time period of discovery of Assignment: organization-defined significant risks. |
0 |
ACCESS ENFORCEMENT |
||
| 3 | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
0 |
| 3(1) |
Dual Authorization
Enforce dual authorization for Assignment: organization-defined privileged commands and or other organization-defined actions. |
0 |
| 3(2) |
Mandatory Access Control
Enforce Assignment: organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing the information to unauthorized subjects or objects; Granting its privileges to other subjects; Changing one or more security attributes specified by the policy on subjects, objects, the system, or system components; Choosing the security attributes and attribute values specified by the policy to be associated with newly created or modified objects; and Changing the rules governing access control; an Specifies that Assignment: organization-defined subjects may explicitly be granted Assignment: organization-defined privileges such that they are not limited by any defined subset or all of the above constraints. |
0 |
| 3(3) |
Discretionary Access Control
Enforce Assignment: organization-defined discretionary access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to other subjects; Change security attributes on subjects, objects, the system, or the system’s components; Choose the security attributes to be associated with newly created or revised objects; or Change the rules governing access control. |
0 |
| 3(4) |
Security-relevant Information
Prevent access to Assignment: organization-defined security-relevant information except during secure, non-operable system states. |
0 |
| 3(5) |
Role-based Access Control
Enforce a role-based access control policy over defined subjects and objects and control access based upon Assignment: organization-defined roles and users authorized to assume such roles. |
0 |
| 3(6) |
Revocation of Access Authorizations
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on Assignment: organization-defined rules governing the timing of revocations of access authorizations. |
0 |
| 3(7) |
Controlled Release
Release information outside of the system only if The receiving Assignment: organization-defined system or system component provides Assignment: organization-defined controls; and Assignment: organization-defined controls are used to validate the appropriateness of the information designated for release. |
0 |
| 20.2 | 164.312 (e)(1) - Has your organization implemented a mechanism to encrypt electronic PHI whenever deemed appropriate? |
0 |
ACCOUNT MANAGEMENT | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT |
||
| 21 | 164.312 (a)(1) - "Do your Business associate contracts or other agreements include the following? |
0 |
| 22 | 164.312 (b)(1) - "Do your Group Health Plans like the Business Associate contracts/agreements? |
0 |
| 23 | 164.316 (a) - Does your organization have a Risk management Program developed? |
0 |
| 24 | 164.316 (b)(1) - Does your organization have policies and procedures in place for a Information Security Management Program? |
0 |
| 25 | 164.316 (b)(2)(i) - Do you have a 6 year retention period? |
0 |
| 26 | 164.316 (b)(2)(ii) - Does your organization ensure availability of PHI related policies to those needing them? |
0 |
| 27 | 164.316 (b)(2)(iii) - Do you periodically review and update the policies needed in response to changes affecting security? |
0 |