Policy 635: Network and System Access defines the responsibilities for authorizing, administering, and auditing access to state information systems. There are two standards supporting network access policy implementation. They define the security requirements for standard user access controls and for privileged accounts.
Standard 635S1: Access Control Requirements defines the basic requirements for system and application access control including but not limited to account management functions, enforcement mechanisms, and additional requirements for moderate or high-risk systems.
Policy 635 and Standard 635S1 address NIST SP 800-53 security/access controls AC-1, AC-2. AC-3, AC-4, AC-5, AC-6, AC-7, AC-8, AC-11, AC-12, and AC-14.
Standard 635S2: Privileged Access Management provides requirements for managing and protecting privileged access channels by associating privileged abilities with specific users, evaluating privileged rights usage, auditing privileged actions, and terminating suspicious actions.
Standard 635S2 addresses NIST SP 800-53 security controls:
- AC-6: Least Privilege
- AC-17 (CE4): Remote Access Privileged Commands / Access
- AT-3: Role-based Security Training
- AU-9 (CE4): Access by Subset of Privileged Users
The above policy and standards were created to replace legacy Policy 621: Network and System Access.
Risks that are addressed in these documents:
- Reduce network security risk by managing the granting and removal of system access rights.
- Maintain individual accountability for the actions of users of the information system.
- The Principle of Least Privilege is the practice of limiting access rights for users to the bare minimum permissions needed to perform their work. Users should use privileged accounts to perform privileged functions (like creating a new user account in the Active Directory domain) and non-privileged accounts to perform more basic functions (like browsing a website).
View or Download: