Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
Asset Type | Security Function | Implementation Groups |
---|---|---|
Data | Protect | 1, 2, 3 |
- Safeguard 3.2: Establish and Maintain a Data Inventory
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process
- Safeguard 5.1: Establish and Maintain an Inventory of Accounts
GV12
: Sensitive Data InventoryGV1
: Enterprise asset inventoryGV3
: Configuration StandardsGV13
: Portion of data management process addressing data ownersGV14
: Portion of data management process addressing data handlingGV22
: Inventory of Accounts
Assumptions ----------
- Use the data managemet process, specifically
GV13
andGV14
, as guidelines to map user account to sensitive data inGV12
. - Identify and enumerate sensitive data correctly mapped to user accounts (M1)
- Idenitfy and enumerate sensitive data not correctly mapped to user accounts (M2)
- Use the data managemet process, specifically
- For each enterprise asset storing sensitive data, as outlined by
GV12, #. Identify and enumerate all assets storing sensitive data (3) #. Use :code:`GV3
to check and enumerate assets that are properly configured to only allow users as identified in Operation 1 (M3) - Use
GV3
to check and enumerate assets that are improperly configured to only allow users as identified in Operation 1 (M4)
- Use
- For each enterprise asset storing sensitive data, as outlined by
- M1 = Count of sensitive data correctly mapped to user accounts per the data management process
- M2 = Count of sensitive data correctly mapped to user accounts per the data management process
- M3 = Count of assets storing sensitive data
- M4 = Count of properly configured assets to support data access control
- M5 = Count of improperly configured assets to support data access control
- M6 = Count of
GV17
- M7 = :code:'GV13`
- M8 =
GV14
If either M7 or M8 is 0, this safeguard receives a failing score. The other metrics don't apply.
Completeness of User Access Control ^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:
* - **Metric**
- | Percentage of user accounts properly mapped to sensitive data
* - **Calculation**
- :code:`M1 / M6`
Metric | Percentage of assets properly configured to control acess of sensitive data |
Calculation | M4 / M3 |