| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-6(8) |
FedRAMP_High_R4_AC-6(8) |
FedRAMP High AC-6 (8) |
Access Control |
Privilege Levels For Code Execution |
Shared |
n/a |
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
Supplemental Guidance: In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. |
link |
1 |
| hipaa |
1146.01c2System.23-01.c |
hipaa-1146.01c2System.23-01.c |
1146.01c2System.23-01.c |
11 Access Control |
1146.01c2System.23-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. |
|
8 |
| hipaa |
1232.09c3Organizational.12-09.c |
hipaa-1232.09c3Organizational.12-09.c |
1232.09c3Organizational.12-09.c |
12 Audit Logging & Monitoring |
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. |
|
21 |
| hipaa |
1276.09c2Organizational.2-09.c |
hipaa-1276.09c2Organizational.2-09.c |
1276.09c2Organizational.2-09.c |
12 Audit Logging & Monitoring |
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Security audit activities are independent. |
|
18 |
| hipaa |
1451.05iCSPOrganizational.2-05.i |
hipaa-1451.05iCSPOrganizational.2-05.i |
1451.05iCSPOrganizational.2-05.i |
14 Third Party Assurance |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties |
Shared |
n/a |
Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. |
|
21 |
| NIST_SP_800-53_R4 |
AC-6(8) |
NIST_SP_800-53_R4_AC-6(8) |
NIST SP 800-53 Rev. 4 AC-6 (8) |
Access Control |
Privilege Levels For Code Execution |
Shared |
n/a |
The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.
Supplemental Guidance: In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by organizations. |
link |
1 |
| NIST_SP_800-53_R5 |
AC-6(8) |
NIST_SP_800-53_R5_AC-6(8) |
NIST SP 800-53 Rev. 5 AC-6 (8) |
Access Control |
Privilege Levels for Code Execution |
Shared |
n/a |
Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. |
link |
1 |