AC-6.7: Review of User Privileges

privileges assigned to roles and classes are reviewed frequency to validate the need for such privileges;

privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.

Access control policy

procedures addressing least privilege

list of system-generated roles or classes of users and assigned privileges

system design documentation

system configuration settings and associated documentation

validation reviews of privileges assigned to roles or classes or users

records of privilege removals or reassignments for roles or classes of users

system audit records

system security plan

other relevant documents or records

Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks

organizational personnel with information security responsibilities

system/network administrators

Mechanisms implementing review of user privileges