Each user of Agency-owned information resources is assigned a unique identifier that may not be shared with anyone else. The unique identifier is required for access to all workstations and enterprise applications. Role-based access control limits the user's ability to access information resources to only those systems for which the user is authorized.
Misconfigured access controls provide unauthorized access to information held in application systems.
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
The organization has Implemented role-based access control to determine how users may have access strictly to those functions that are described in job responsibilities.
1. Access to state information resources shall be appropriately managed.
2. Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.
Obtain access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of assigned authorizations (user privileges); information system audit records; other relevant documents or records and ascertain if
(I) the information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy; and
(ii) user privileges on the information system are consistent with the documented user authorizations.
