Framework Control Sample
ACCESS CONTROL POLICY AND PROCEDURES
Control Satisfaction Matrix
| Framework Standard | Policy Category | Control Objective |
|---|---|---|
| NIST 800-53r4 | Access Control - AC | AC-1 |
Major Document History
| Date | Comment | Who |
|---|---|---|
| 2/05/2020 | Initial Doc | Tharp |
Track Source Framework and Page History
Access Control Policy
Policies are “high level” statements of management's intent to provide guidance and to set guardrails for decisions to achieve rational outcomes. Policies are not meant to be prescriptive, but to provide an overall direction for the organization.
COMPANY shall align with the NIST 800-53r4 Framework to meet appropriate levels of controls, standards and procedures for the broadest set of regulatory compliance including FISMA, HIPAA, FERPA, IRS 1075, PCI.
Well-considered Industry Content that is audit proven.
Control Objective
Control Objectives support the policy by identifying germane requirements that the entity must address. These applicable requirements may be best practices, laws or other legal obligations.
DLZP Group provides and maintains the control framework library to keep you up to date. The section below is un-editable content from the Framework Library.
Standard
Standards establish formal requirements in regards to entity processes, actions and configurations. Standards are narrowly-focused, prescriptive requirements that are quantifiable.
- IT or security personnel, identify data protection and privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for this framework to implement and maintain an Identify & Access Management (IAM) program that covers all users, systems and services.
Well-considered Industry Content that is audit proven.
Procedure
Procedures are formal configuration items or methods of performing a task, based on a series of actions conducted in a defined and repeatable manner, Procedures vary widely by entity type so this section is provided to document your organizations internal procedures .
Customer Input
Free form area for customers to document their own internal procedures.
NIST 800-53r4 Crosswalk
The Crosswalk maps NIST 800-53r4 Controls to other control frameworks.
DLZP Group provides a control crosswalk to major industry standard frameworks e.g. ISO270001/02, FedRAMP, HIPAA, HIPAA, COBIT, FERPA
800-53 page 9
Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;28
Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays);
Step 3: Implement the security controls and document the design, development, and implementation details for the controls;
Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;29
Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and
Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.