Has your organization implemented a least privilege access model that restricts user access and privileges to only what is necessary for their job functions?
Explanation
Least privilege access control ensures users have only the minimum permissions needed to perform their job functions, reducing the potential attack surface and limiting the impact of compromised accounts. This approach is a core principle of zero trust architecture, where no user or system is inherently trusted, and verification is required for all access requests regardless of location or network.
Evidence of implementation could include access control policies, role definitions with associated permission sets, documentation of periodic access reviews, and logs showing privilege elevation processes. A comprehensive privilege management matrix mapping job roles to specific system access levels would be particularly valuable evidence.
Implementation Example
Restrict access and privileges to the minimum necessary (e.g., zero trust architecture)
ID: PR.AA-05.209
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

