Framework Control Sample

ACCESS CONTROL POLICY AND PROCEDURES

Control Satisfaction Matrix

Framework Standard Policy Category Control Objective
NIST 800-53r4 Access Control - AC AC-1

Major Document History

Date Comment Who
2/05/2020 Initial Doc Tharp

Track Source Framework and Page History


Access Control Policy

Policies are “high level” statements of management's intent to provide guidance and to set guardrails for decisions to achieve rational outcomes. Policies are not meant to be
 prescriptive, but to provide an overall direction for the organization.

COMPANY shall align with the NIST 800-53r4 Framework to meet appropriate levels of controls, standards and procedures for the broadest set of regulatory compliance including FISMA, HIPAA, FERPA, IRS 1075, PCI.

Well-considered Industry Content that is audit proven.


Control Objective

Control Objectives support the policy by identifying germane requirements that the entity must address. These applicable requirements may be best
practices, laws or other legal obligations.

DLZP Group provides and maintains the control framework library to keep you up to date. The section below is un-editable content from the Framework Library.


Standard

Standards establish formal requirements in regards to entity processes, actions and 
configurations. Standards are narrowly-focused, 
prescriptive requirements that are quantifiable.

  • IT or security personnel, identify data protection and privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for this framework to implement and maintain an Identify & Access Management (IAM) program that covers all users, systems and services.

Well-considered Industry Content that is audit proven.


Procedure

Procedures are formal configuration items or methods of performing a task, based on a series of actions 
conducted in a defined and repeatable manner, Procedures vary widely by entity type so this section is provided to document your organizations internal procedures .

Customer Input

Free form area for customers to document their own internal procedures.


NIST 800-53r4 Crosswalk

The Crosswalk maps NIST 800-53r4 Controls to other control frameworks.

DLZP Group provides a control crosswalk to major industry standard frameworks e.g. ISO270001/02, FedRAMP, HIPAA, HIPAA, COBIT, FERPA


800-53 page 9

Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;28

Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays);

Step 3: Implement the security controls and document the design, development, and implementation details for the controls;

Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;29

Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and

Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.