Access controls reflect classification
Demonstrate that access control mechanisms enforce permissions, authentication strength, and authorization levels commensurate with the sensitivity classification of information assets and systems.
Description
What this control does
This control ensures that access permissions, authentication requirements, and authorization levels are directly tied to the sensitivity classification of data and systems (e.g., public, internal, confidential, restricted). Organizations establish access control matrices or role-based access control (RBAC) schemes that enforce stricter authentication, logging, and least-privilege principles for higher classification levels. This prevents scenarios where highly sensitive data is accessible using the same weak controls applied to low-value assets, reducing the attack surface and limiting blast radius from credential compromise.
Control objective
What auditing this proves
Demonstrate that access control mechanisms enforce permissions, authentication strength, and authorization levels commensurate with the sensitivity classification of information assets and systems.
Associated risks
Risks this control addresses
- Unauthorized users gain access to sensitive or restricted data using credentials intended for lower-classification resources
- Lateral movement succeeds because authentication and authorization requirements are uniform across disparate data sensitivity levels
- Regulatory compliance violations occur due to inadequate protection of personally identifiable information (PII), protected health information (PHI), or payment card data
- Insider threats escalate privileges or exfiltrate high-value intellectual property without triggering detection thresholds appropriate to data sensitivity
- Accidental data exposure results from users with legitimate access to low-sensitivity data inadvertently accessing high-sensitivity resources without additional challenge
- Audit trails and monitoring fail to capture access events at fidelity required for forensic investigation of incidents involving classified data
- Third-party or contractor access is not appropriately restricted based on data classification, exposing sensitive assets to external parties
Testing procedure
How an auditor verifies this control
- Obtain the organization's data classification policy and supporting procedures, including defined classification levels and corresponding access control requirements for each level
- Request a complete inventory of information assets and systems with their assigned classification labels and responsible data owners
- Select a representative sample spanning all classification levels, ensuring inclusion of at least two assets from the highest sensitivity tier
- For each sampled asset, retrieve the current access control list (ACL), role assignments, authentication policies, and multi-factor authentication (MFA) configurations from identity and access management (IAM) systems
- Cross-reference the documented classification-to-control mapping against actual implemented controls, identifying any deviations where authentication strength, authorization scope, or logging verbosity do not match classification requirements
- Interview system administrators and data owners to confirm their understanding of classification-driven access requirements and verify approval workflows for granting elevated access
- Review access logs for sampled high-classification assets over the prior 90 days to verify that only authorized users with appropriate roles have accessed those resources and that all access events are logged
- Test access enforcement by attempting to access a high-classification resource using credentials authorized only for lower-classification data, confirming that access is denied and the attempt is logged
Where this control is tested