NIST CSF Series #7 – Protect: Access Control

Protect - Access Control

Function:   Protect  (PR)
Category:  Access Control  (AC)

“Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.”

PR.AC-1:  Identities and credentials are managed for authorized devices and users.

Information systems account types include, for example, individual, shared, group, system, guest, emergency, developer, temporary, and service.  The identification of authorized users of information systems and the specification of access privileges reflects the requirements in other security controls.

Administrative privileges require additional scrutiny for account approval and monitoring of use.  Controls to consider revolve around:  Establishing conditions for group and role membership; approval process for requests to create accounts including users, service/system, and administrative accounts; a process for provisioning accounts during onboarding and deprovisioning accounts during separation; and monitoring account use/abuse especially privileged accounts.

 Audit Considerations

Auditors will want to determine if access to servers, workstations, and applications are restricted by unique user logins, passwords that meet policy, and if default account names and passwords have been changed.

Additionally, they may review separation procedures to ensure that credentials are revoked or changed when an employee leaves.  They may spot-check “separation tickets” with live accounts to verify that actual revocation of accounts has occurred.


Applicable CIS Critical Controls:

CIS Control 16 – Account Monitoring and Control

Actively managing the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them is the primary concern of this control.  Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network monitors.  Contractors and employees who have been terminated have often been misused this way.  Additionally, malicious insiders and former employees have accessed accounts left behind in a system long after contract expiration, providing them continued and perhaps malicious access to system and sensitive information.


PR.AC-2:  Physical access to assets is managed and protected.

This control refers to the ability to identify individuals (employees, contractors, and others) who have physical access to the facility, where information systems and sensitive information reside, whether through identification badges or cards.  Employees should be taught to look for appropriate identification, especially in critical areas, and to question unauthorized access or report unauthorized access as appropriate.  This control also applies to appropriate physical controls to prevent unauthorized physical access via keys, locks, combinations, or card readers.

Additional monitoring may be necessary in critical areas through video surveillance.  Physical access should be monitored, and access reviewed (e.g. physical access logs to computer rooms, visitor sign-in sheets).

Physical access controls such as keys or key cards should be assigned during onboarding of new employees and collected/deactivated upon separation.

Audit Considerations

Auditors may want to determine whether physical access to critical assets (e.g. server rooms, network closets) are physical restricted.   Are there locked doors, surveillance, logs, visitor escorts, etc.?   Additionally, auditors may ask for the production of policies and procedures that cover authorized access to sensitive areas as well as verification that physical access is removed once an employee is separated or no longer requires that access.


PR.AC-3:  Remote access is managed.

Remote access to organizational information systems by users communicating over external networks (e.g. Internet) is often performed through encrypted virtual private networks (VPN’s) to enhance confidentiality and integrity.  Monitoring sessions for unusual time, data consumption, and other abnormal behavior, allows organizations to detect cyber attacks and ensure ongoing compliance with policies governing remote access.

Managing remote access may also apply to mobile devices that are designed to operate without a physical connection.  Due to the variety of mobile devices with different technical characteristics and capabilities, and that many of these devices are privately owned, managing these devices is challenging.

Last, this applies to external information systems that are outside the boundaries established by the organization and for which the organization has no direct supervision and authority over the application of required security controls.  These may include BYOD, communications over public WiFi, and user provisioned cloud services.  At a minimum, policy should be established and understood by employees of the appropriate use of such services to reduce the risk to sensitive information.

Audit Considerations

Auditors may ask to review policies and procedures related to remote access capabilities and that these are formalized in the organization.  Are there other controls in place such as logging, monitoring, multi-factor authentication, ability to remotely wipe mobile devices, and other controls required on BYOD or personal devices connecting to information systems?


PR.AC-4:  Access permissions are managed, incorporating the principles of least privilege and separation of duties.

This control looks for the appropriate implementation of “least privilege” and separation of duties to prevent end-to-end security control of an information system or application.   The principle of least privilege is applied to individuals and system processes, to ensure that that functional roles and processes operate at privilege levels no higher than necessary to accomplish the required function.

Separation of duties addresses the potential for abuse of authorized privileges and help reduce the risk of malevolent activity without collusion.  Separation of duties includes, for example:  dividing mission functions and information system support functions among different individuals and/or roles; conduction information system support functions with different individuals.

Audit Considerations

Auditors may want to review access rights and permissions to any critical application or system to determine if user access profiles are consistent with their job functions.  Often, auditors will determine if users have local administrative privilege on workstations and if that level of access is required.

Other considerations may include if there is a regular review of access performed or if the use of role-based access controls are in place versus direct user assigned access.   How an organization monitors access to sensitive information by users with elevated privileges may be reviewed as well.

Applicable CIS Critical Controls:

CIS Control 12 –  Boundary Defense

This control comes into play to make sure that network connectivity is limited to what is required to complete the required task.  For example, limiting access to internal workstations from the Internet or opening firewall access to a particular destination host from a specific source and only on the port required.

CIS Control 15 –  Wireless Access Control

Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing security perimeters by connecting to access points inside the organization.  Employees traveling are sometimes infected through remote exploitation during travel or in WiFi “hotspots”.  These are then used as back doors into an organization.


PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate.

This control defines how information flows between information systems and other networks and what restrictions are applied.  Critical systems should be appropriately segmented and access to them limited to least privilege for users and systems.

This control is often applied using boundary defense such as gateways, routers, firewalls, and encrypted tunnels implemented within a security architecture.  Subnetworks that are physically or logically separated from internal networks (DMZ’s) are often used.  Restricting external traffic (egress filtering) may also be deployed as a mechanism to limit or defeat data exfiltration.

Audit Considerations

Auditors may review network diagrams and/or data flow diagrams to determine if high-value or critical systems are appropriately segmented.  They may also check for a process and documentation that checks if connections between networks and systems are reviewed and approved appropriately.