IDENTITY AND ACCESS MANAGEMENT - 5360
Policy: Each state entity shall safeguard access to information assets by managing the identities of users and devices and controlling access to resources and data bases on a need to know basis throughout the identity lifecycle. Each state entity shall establish processes and procedures to ensure:
- Maintenance of user identities, including both provisioning and de-provisioning;
- Enforcement of password policies or more advanced multifactor mechanisms to authenticate users and devices;
- Management of access control rules, limiting access to the minimum necessary to complete defined responsibilities;
- Separation of duties to avoid functional conflicts;
- Periodic recertification of access control rules to identify those that are no longer needed or provide overly broad clearance;
- Use of privileged accounts that can bypass security are restricted and audited;
- Systems to administer access based on roles are defined and installed; and
- Encryption keys and system security certificates are effectively generated, exchanged, stored and safeguarded.
Implementation Controls: NIST SP 800-53: System and Information Integrity (SI)
No Revisions for this item.