Least Privilege | AC-6

Description

The principle of least privilege is employed for À¶Ý®ÊÓƵ information systems. Users (or processes acting on behalf of users) must only have the access necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

  • Accounts must be created with a baseline appropriate for the category of (For example, À¶Ý®ÊÓƵ Users receive a minimum level of access to information resources approved for all employees).
  • Information Resource Custodians are responsible for ensuring that access is given to the minimum degree necessary for users to accomplish assigned tasks.
  • Administrator and special access accounts are only authorized to perform limited privileged access tasks, such as system maintenance and administration.
  • Sensitive tasks such as account management must be restricted to members of specific privileged security groups created for that purpose.
  • Information Resource Owners or their designees are responsible for ensuring that users with administrative accounts are aware of the extraordinary responsibilities associated with the use of privileged accounts.
  • Privileges should be escalated only when necessary to accomplish assigned tasks.

Last updated: 5/8/2026

Contact Hours or Questions?

Information on Tech Support