Description
Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
Supplemental Guidance
The reference monitor concept and theory behind it can be found in Anderson, J.P., Computer Security Technology Planning Study, ESD-TR-73-51, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, MA (October 1972) and in Lampson, B.W., Protection, Proceedings of the 5th Princeton Symposium on Information Sciences and Systems, Princeton University (March 1971). An abstract machine that mediates all access of subjects to objects based on an access control policy.
Changes from Rev 4
No significant changes from Rev 4.
Compliance Mappings
ISO 27001:2022
A.5.18
ISO 27002:2022
5.18
COBIT 2019
DSS05
PCI DSS v4.0.1
7.3
NIS2 Directive
Art. 21(2)(i)
MAS TRM
9
BSI IT-Grundschutz
ORP.4
BIO2
5.18
RBI CSF
Annex1.9
UAE IA
T9
CBB TM
TM-6
Qatar NIA
AC
IOSCO Cyber Resilience
PROT-1
BOT Cyber Resilience
Ch2.2
Lloyd's Minimum Standards
MS8.3
ISO 27799
9.1