7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
This access control system must include the following:
[li]7.2.1 Coverage of all system components[/li][li] 7.2.2 Assignment of privileges to individuals based on job classification and function[/li][li] 7.2.3 Default “deny-all” setting[/li][/ul]
Examine system settings and vendor documentation to verify that an access control system is implemented as follows:
[li]7.2.1 Confirm that access control systems are in place on all system components.[/li][li]7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.[/li][li]7.2.3 Confirm that the access control systems has a default “deny-all” setting.[/li][/ul]
Note: Some access control systems are set by default to “allow-all”, thereby permitting access unless/until a rule is written to specifically deny it.