7.1 Obtain and examine written policy for data control, and verify that the policy incorporates the following:
- Access rights to privileged User IDs are restricted to least privileges necessary to perform job responsibilities
- Assignment of privileges is based on individual personnel’s job classification and function
- Requirement for an authorization form signed by management that specifies required privileges
- Implementation of an automated access control system