03.01.05 Least Privilege

This policy outlines the organization's commitment to the principle of least privilege, ensuring that all users and processes have only the minimum necessary access rights to perform their job duties. This includes access to systems, security functions, and security-relevant information. The policy aims to mitigate the risk of unauthorized access, data breaches, and malicious activities by restricting access to only what is essential.

• A.03.01.05.ODP[01]: security functions for authorized access are defined.
• A.03.01.05.ODP[02]: security-relevant information for authorized access is defined.
• A.03.01.05.ODP[03]: the frequency at which to review the privileges assigned to roles or classes of users is defined.
• A.03.01.05.a: system access for users (or processes acting on behalf of users) is authorized only when necessary to accomplish assigned organizational tasks.
• A.03.01.05.b[01]: access to is authorized.
• A.03.01.05.b[02]: access to is authorized.
• A.03.01.05.c: the privileges assigned to roles or classes of users are reviewed to validate the need for such privileges.
• A.03.01.05.d: privileges are reassigned or removed, as necessary.