Your browser has JavaScript turned off.
You must turn it on to proceed.










NORS -- CSRIC Best Practices Result

CSRIC Best Practices Result

Detailed Information for the Best Practice: 9-9-8086

Number 9-9-8086
Priority Critical
Description Network Operators, Service Providers, Public Safety, and Equipment Suppliers based on the principles of least–privilege (the minimum access needed to perform the job) and separation of duties (certain users perform certain tasks) should develop capabilities and processes to determine which users require access to a specific device or application.
Network Type(s) Cable; Internet/Data; Satellite; Wireless; Wireline
Industry Role(s) Service Provider; Network Operator; Equipment Supplier
Keyword(s) Cyber Security;Intrusion Detection;
Reference/Comments These processes should be used to develop criteria for determining who can be authorized to access a specific device or application. The criteria can be used to develop and implement access privilege levels (for example, role-based access, tiered access) for specific devices or applications. These levels may provide authorization for certain users to perform specific functions. Garfinkel, Simson, and Gene Spafford. Personnel Security. Practical Unix & Internet Security, 2nd ed. Sebastopol, CA: O'Reilly and Associates, Inc. 1996. 389-395
King, Christopher M., Curtis E. Dalton, and T. Ertem Osmanoglu. Applying Policies to Derive the Requirements. Security Architecture, Design, Deployment & Operations. Berkley, CA: The McGraw-Hill Companies. 2001. 66-110
National Institute of Standards and Technology. Access Control Mechanisms, Access Control Lists (ACLs). Generally Accepted Principles and Practices for Securing Information Technology Systems. September 1996
Information Security Forum. Access Control Policies. The Forum's Standard of Good Practice,The Standard for Information Security. November 2000.http://www.atis.org/ - T1 276-2003 Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane: July, 2003.