|Description||Network Operators, Service Providers, Public Safety, and Equipment Suppliers based on the principles of leastprivilege (the minimum access needed to perform the job) and separation of duties (certain users perform certain tasks) should develop capabilities and processes to determine which users require access to a specific device or application.|
|Network Type(s)||Cable; Internet/Data; Satellite; Wireless; Wireline|
|Industry Role(s)||Service Provider; Network Operator; Equipment Supplier|
|Keyword(s)||Cyber Security;Intrusion Detection;|
|Reference/Comments||These processes should be used to develop criteria for determining who can be authorized to access a specific device or application. The criteria can be used to develop and implement access privilege levels (for example, role-based access, tiered access) for specific devices or applications. These levels may provide authorization for certain users to perform specific functions. Garfinkel, Simson, and Gene Spafford. Personnel Security. Practical Unix & Internet Security, 2nd ed. Sebastopol, CA: O'Reilly and Associates, Inc. 1996. 389-395
King, Christopher M., Curtis E. Dalton, and T. Ertem Osmanoglu. Applying Policies to Derive the Requirements. Security Architecture, Design, Deployment & Operations. Berkley, CA: The McGraw-Hill Companies. 2001. 66-110
National Institute of Standards and Technology. Access Control Mechanisms, Access Control Lists (ACLs). Generally Accepted Principles and Practices for Securing Information Technology Systems. September 1996
Information Security Forum. Access Control Policies. The Forum's Standard of Good Practice,The Standard for Information Security. November 2000.http://www.atis.org/ - T1 276-2003 Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline of Security Requirements for the Management Plane: July, 2003.