7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
7.1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is:
• Assigned only to roles that specifically require such privileged access
• Restricted to least privileges necessary to perform job responsibilities.
7.1.2.b Select a sample of user IDs with privileged access and interview responsible management personnel to verify that privileges assigned are:
• Necessary for that individual’s job function
• Restricted to least privileges necessary to perform job responsibilities.
When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.
Assigning least privileges helps prevent users without sufficient knowledge about the application from incorrectly or accidentally changing application configuration or altering its security settings.
Enforcing least privilege also helps to minimize the scope of damage if an unauthorized person gains access to a user ID.