AC-06 Least Privilege

Access Control

Low Moderate High

Description

The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.

Supplemental Guidance

The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.

Enhancements

(0) None.

MITRE ATT&CK Techniques (270)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 13 Execution 32 Persistence 81 Privilege Escalation 72 Defense Evasion 99 Credential Access 44 Discovery 6 Lateral Movement 18 Collection 11 Exfiltration 9 Impact 13

Show all 270 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.5.15A.5.18A.8.18A.8.2A.8.3

ISO 27002:2022

5.155.188.188.28.3

COBIT 2019

DSS05DSS06

CIS Controls v8

CIS 12.8CIS 3.14CIS 3.3CIS 5CIS 5.4CIS 6CIS 6.1CIS 6.8

NIST CSF 2.0

PR.AA-05

SOC 2 TSC

CC6.1CC6.1-POF7

PCI DSS v4.0.1

3.47.17.28.6

CSA CCM v4

IAM-04IAM-05IAM-08IAM-09IAM-10IAM-11IAM-16LOG-04

CSA AICM v1

IAM-04IAM-05IAM-08IAM-09IAM-10IAM-11IAM-16IAM-18IAM-19LOG-04MDS-07

FINOS CCC

CCC-C11CCC-C12

ISO 42001:2023

A.3.2A.9.2

IEC 62443

3-3 SR 1.33-3 SR 2.1

NIS2 Directive

Art. 21(2)(i)

MAS TRM

APRA CPS 234

Para 22-23

ASD Essential Eight

E8-5E8-5 ML1E8-5 ML2E8-5 ML3E8-8 ML3

BSI IT-Grundschutz

OPS.1.1.2ORP.4

ANSSI

Hygiene.14Hygiene.15Hygiene.16Hygiene.17SecNumCloud.10.3SecNumCloud.10.4

FINMA Circular 2023/1

IV.B.d(59)IV.B.d(60)IV.C(61)

OSFI B-13

B-13.3.2

EU GDPR

Art.25(2)Art.32(1)(b)Art.5(1)(c)Art.5(1)(f)

EU DORA

Art.9(4)(c)Art.9(4)(d)

BIO2

5.155.188.188.28.3

RBI CSF

Annex1.8ITGRCA.19

FISC Security Guidelines

FISC.T2

LGPD + BCB 4893

BCB.Art.3LGPD.Art.46LGPD.Art.6

HKMA TM-E-1

TME1.8.1TME1.8.2

MLPS 2.0

8.1.10.48.1.4.28.1.5.1

DNB Good Practice

DNB.17.2DNB.7.1

EU CRA

CRA.I.2d

SWIFT CSCF

SWIFT.1.2SWIFT.5.1SWIFT.6.3

SAMA CSF

3.1

NCA ECC

2-2

UAE IA

CBB TM

TM-6

Qatar NIA

CBUAE

CR-4

CBE CSF

CD-1CTO-1

SA JS2

JS2-7.1

CBN CSF

Part3.2Part9

BoG CISD

CISD-VIII

POPIA

s10s19

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

BCBS 239

Principle 11

CPMI-IOSCO PFMI

CG.PRPFMI.P17

FFIEC IS

II.C.13(a)II.C.15II.C.15(a)II.C.15(b)II.C.18II.C.7II.C.7(b)

NYDFS 500

500.6500.7

HIPAA Security Rule

§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(3)(ii)(B)§164.308(a)(4)(i)§164.308(a)(4)(ii)(B)§164.308(a)(4)(ii)(C)§164.312(a)(1)§164.314(b)(2)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

10 CFR 73.54

RG5.71-A-AC

TSA Pipeline SD

SD-2 Sec B

IEEE 1686-2022

5.1

DOE C2M2 v2.1

ACCESS

API 1164

Sec 6

AWIA

AWWA Sec 3

IAEA NSS 17-T

Sec 5.3

FIPS 140-3

FIPS 140-3 §7.4

TIBER-EU

TIBER.CONF

PCI HSM

1458

Common Criteria

CC Part 2 — FDPCC Part 2 — FMT

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS1.1MS5.1MS8.3

NAIC Insurance Data Security

4-access4-audit4B

PRA SS1/23

P-IT.1P2.4P3.3P3.6P4.4

FCA SYSC 13

SYSC 13.6.2SYSC 13.7.3

HITRUST CSF v11

01.a13.c13.e

FDA 21 CFR Part 11

§11.10(d)§11.10(g)

FDA Cybersecurity Guidance

SA-1SA-4

ISO 27799

9.19.39.5H.4

NHS DSPT

NDG-1.1NDG-4.1NDG-4.4

OWASP MASVS v2.1

MASVS-PRIVACY-1

CCSS v9.0

1.03.51.04.31.05.11.05.3

MiCA

Art.36(1)Art.40(1)Art.55(1)Art.63(1)Art.65(1)Art.67(1)Art.86(1)Art.92(1)Art.97(1)

Basel SCO60

SCO60.55SCO60.61SCO60.62SCO60.64SCO60.66SCO60.72

BSSC Standards

NOS-05NOS-08TIS-07KMS-04KMS-05KMS-06KMS-09GSP-11

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-03SEC-CD-04SEC-CD-05SEC-CD-16

ISO 17799 (legacy)

11.2.2

COBIT 4.1 (legacy)

PO4.11