AC-01-727 Access Control Policy and Procedures

Access Control Policy and Procedures

AC-01-727
Access Control Policy and Procedures
Access Control
Protect
Access Control
LOW, MOD, HIGH
P1
Yes
May 20, 2016

Information resource owners are responsible for ensuring that implemented access controls are consistent with the security controls outlined in this catalog. The chief information security officer shall periodically audit implemented access controls of mission critical Agency information resources to validate an appropriate level of security consistent with the information resource’s risk level.

Access provided is not consistent with job function as Access Control Policy is not documented, communicated, and understood.
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency].
The organization has a documented, accepted written policy and procedure.
Each state organization shall create, distribute, and implement an account management policy which defines the rules for establishing user identity, administering user accounts, and establishing and monitoring user access to information resources.
Obtain access control policy and procedures; other relevant documents or records and ascertain if (I) the organization develops and documents access control policy and procedures; (ii) the organization disseminates access control policy and procedures to appropriate elements within the organization; (iii) responsible parties within the organization periodically review access control policy and procedures; and (iv) the organization updates access control policy and procedures when organizational review indicates updates are required.