Youattest Logo

Adhering to NIST CSF PR.AC-4 with Regular Access Reviews

In February of 2013, President Barack Obama issued Executive Order 13636 to direct improvements of the critical cybersecurity infrastructure. As a response, the National Institute of Standards and Technology (NIST) passed the Cybersecurity Enhancement Act of 2014, reinforcing the President’s executive order with the voluntary cybersecurity frameworks (CSF). With five primary functions, the NIST CSF 1.1 is designed to identify, protect, detect, respond, and recover. These five pillars of cybersecurity management, when employed properly, enable a high level of risk management and response, and with each function further divided into subcategories, the scope of the framework is vast and detailed.

NIST CSF PR.AC-4 states “Access permissions are managed, incorporating the principles of least privilege and separation of duties.”

A subcategory of the framework’s protect function, NIST CSF PR.AC-4 was included to instruct the management of user authorizations. The framework recommends that “access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties,” and is essential to identity governance and information security within an organization. 

To meet the guidelines outlined, an organization must perform regular access reviews.   (Eric C. Thompson recommends every six months in his treatise Building a HIPAA-Compliant Cybersecurity Program  – Using NIST 800-30 and CSF)   

In additon, any organization that deals with secure information, required to be compliant with federal regulations, must conduct a review of the users authorized to access sensitive data or applications. To maintain the highest level of security, the framework recommends that users should only have access to the minimum amount of information required for them to carry out their responsibilities. Duties should also be separated so that there is not one person who is given access to sensitive information stored within the organization’s systems.

During the periodic access review process, it should be confirmed that each user still requires access to specific applications, data, or components of infrastructure. Since it is not uncommon for employees to shift roles or for their employment status to change, it is important to ensure that these individuals are not still given access to unnecessary information that is no longer relevant to their responsibilities. Individuals with access to extraneous information pose higher security risks that should be limited whenever possible.

Once the access review has been completed, to adhere to the NIST CSF guidelines, any access capabilities that are found to be not required are to be removed within ten days. It is essential that organizations immediately remedy any discrepancies in access privileges, otherwise they could violate federal regulations or be faced with the possibility of data breaches. 

When creating a cybersecurity program with the NIST CSF as guidance, any organization can feel confident that it is applying the best practices for risk management. Since it is based on existing standards and guidelines, any organization already upholding best practices can feel assured that they are protecting their company and its information from breaches and attacks. Specifically, when it comes to access and identity management, NIST CSF outlines the best practices for monitoring and managing access to information with the organization’s system as part of a comprehensive list of recommendations for strengthening cybersecurity management.

A quantified way to conduct access reviews is to utilize YouAttest cloud-based access review system.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please  please watch a customer webinar  or register for our next webinar with QoS Consulting Solutions featuring Stacey Cameron and Shannon Noonan.   Or write us @

Garret Grajek, CISSP, CEH
CEO of YouAttest