Least Privilege Standard Operating Procedures Checklist
Objectives:
- The organization assigns the most restrictive set of rights/privileges or accesses needed by users for the performance of specified tasks; and
- The information system enforces the most restrictive set of rights/privileges or accesses needed by users
Action Steps:
- Examine access control policy, procedures addressing least privilege, list of assigned access authorizations (user privileges), security plan, or other relevant documents;
- Reviewing for the limited rights/privileges or accesses to be authorized for users as deemed appropriate by the organization to enable performance of specified tasks while adequately mitigating risk to the organization, individuals, other organizations, and the nation.
- Interview an agreed-upon representative sample of organizational personnel with responsibilities for assigning the rights/privileges to users (or processes acting on behalf of users);
- Conducting focused discussions for evidence that rights/privileges or accesses represent a minimal set consistent with ability to perform specified tasks and an assessment of the risks incurred if additional rights/privileges are allowed.
- Examine documentation describing the current configuration settings for an agreed-upon specific sample of mechanisms; studying for evidence that the settings are consistent with the intended rights/privileges.
| Attachment | Size |
|---|---|
| least-privilege.jpg | 24.28 KB |
| least-privilege.xls | 14.5 KB |
| least-privilege.pdf | 9.58 KB |
