Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

18-Q: Access Control

This section evaluates how your organization grants, manages, and revokes access to systems, applications, and data.

The questions focus on whether you follow least-privilege principles, use strong authentication and authorization controls, and have defined processes for provisioning, modifying, and removing user and privileged accounts. They also address how access rights are reviewed, documented, and approved.

Overall, this section confirms that only authorized individuals have appropriate access, and that such access is controlled throughout the user lifecycle.

Organization

First Name

69.6-Do you have an access control policy?

YES

NO

N/A

Explanation: An access control policy defines how access to systems and data is granted, ensuring only authorized personnel can access sensitive information.

Risks of Incorrect Answer: Unauthorized access to systems or data.

Breaches of confidentiality and regulatory compliance.

Applicable Frameworks: ISO 27001 (A.9.1.1): Defines access control policies.

NIST CSF (PR.AC-1): Addresses identity and access management.

69.6- If No or N/A, please provide an additional explanation

70.5-Do all users have unique user IDs for accessing applications?

YES

NO

N/A

Explanation: Unique user IDs allow tracking and auditing of individual user activities, which is critical for accountability.

Risks of Incorrect Answer: Difficulty in tracking user activities or detecting unauthorized access.

Compliance violations (e.g., GDPR, HIPAA).

Applicable Frameworks: ISO 27001 (A.9.2.1): Requires unique identification of users.

NIST CSF (PR.AC-2): Covers account management.

70.5- If No or N/A, please provide an additional explanation

71.7- Is client data segregated from the general network and other clients’ data?

YES

NO

N/A

Explanation: Unique user IDs allow tracking and auditing of individual user activities, which is critical for accountability.

Risks of Incorrect Answer: Difficulty in tracking user activities or detecting unauthorized access.

Compliance violations (e.g., GDPR, HIPAA).

Applicable Frameworks: ISO 27001 (A.9.2.1): Requires unique identification of users.

NIST CSF (PR.AC-2): Covers account management.

71.7- If No or N/A, please provide an additional explanation

72.6- Do you have a process for granting and managing access to systems that store, process, or transport client data?

YES

NO

N/A

Explanation: Access management ensures that only authorized individuals have appropriate access to sensitive systems.

Risks of Incorrect Answer: Unauthorized or excessive access privileges.

Increased risk of data breaches.

Applicable Frameworks: ISO 27001 (A.9.2.2): Covers access provisioning.

NIST CSF (PR.AC-3): Details least privilege principles.

72.6- If No or N/A, please provide an additional explanation

73.6- Are access reviews conducted?

YES

NO

N/A

Explanation: Regular access reviews ensure that users maintain only the access required for their roles.

Risks of Incorrect Answer: Over-permissioned accounts leading to security risks.

Non-compliance with regulatory frameworks.

Applicable Frameworks: ISO 27001 (A.9.2.5): Recommends periodic access reviews.

NIST CSF (PR.AC-4): Emphasizes periodic audits.

73.6- If yes, what is the scope and how often are they performed?

73.6- If No or N/A, please provide an additional explanation

74.5- Are passwords required to access systems that store, process, or transport client data?

YES

NO

N/A

Explanation: Passwords provide a basic layer of security to prevent unauthorized access.

Risks of Incorrect Answer: Unauthenticated access to critical systems.

Failure to meet compliance standards.

Applicable Frameworks:

ISO 27001 (A.9.3.1): Covers password policies.

NIST 800-63: Recommends password-based authentication.

74.5- If No or N/A, please provide an additional explanation

75.6- Is remote access allowed into your environment?

YES

NO

N/A

Explanation: Allowing remote access introduces additional security risks if not properly controlled and monitored.

Risks of Incorrect Answer: Increased attack surface for unauthorized access.

Potential breaches through unprotected remote connections.

Applicable Frameworks: ISO 27001 (A.13.2.1): Ensures secure remote access.

NIST CSF (PR.AC-5): Highlights secure remote access.

75.6- If No or N/A, please provide an additional explanation

75.1-7 If remote access is allowed, is multi-factor authentication and encryption used?

YES

NO

N/A

Explanation: MFA and encryption add layers of security, making it harder for attackers to exploit remote connections.

Risks of Incorrect Answer: Increased risk of account compromise.

Data interception during transmission.

Applicable Frameworks: ISO 27001 (A.13.2.3): Covers encryption.

NIST CSF (PR.AC-7): Recommends MFA.

75.1-7 If No or N/A, please provide an additional explanation

75.2-6 Is a VPN used for remote access?

YES

NO

N/A

Explanation: VPNs provide secure channels for remote users to connect to organizational resources.

Risks of Incorrect Answer: Data exposure through insecure connections.

Increased vulnerability to man-in-the-middle attacks.

Applicable Frameworks: ISO 27001 (A.13.2.1): Requires secure communication.

PCI DSS (2.3): Recommends secure access through VPNs.

75.2- If yes, what type of encryption algorithm is used?

75.2-6 If No or N/A, please provide an additional explanation

76.6- Is access to systems, including test environments, restricted to authorized individuals only?

YES

NO

N/A

Explanation: Restricting access ensures that only those with a legitimate need can access sensitive systems.

Risks of Incorrect Answer: Increased potential for insider threats.

Exposure of sensitive data in test environments.

Applicable Frameworks: ISO 27001 (A.9.1.2): Covers restricted access.

NIST CSF (PR.AC-4): Ensures access control.

76.6- If No or N/A, please provide an additional explanation

77.7- Is access revoked immediately when an individual is terminated?

YES

NO

N/A

Explanation: Immediate revocation prevents ex-employees from accessing organizational resources after leaving.

Risks of Incorrect Answer: Risk of malicious activity by former employees.

Non-compliance with security best practices.

Applicable Frameworks: ISO 27001 (A.9.2.6): Ensures timely revocation of access.

NIST CSF (PR.AC-4): Recommends immediate deprovisioning.

78.6- Do you use a privileged access management tool?

YES

NO

N/A

Explanation: Privileged access management tools protect critical systems and data by monitoring and securing privileged accounts.

Risks of Incorrect Answer: Elevated accounts could be exploited by attackers.

Difficulty in tracking privileged user activities.

Applicable Frameworks: ISO 27001 (A.9.2.3): Requires management of privileged access.

NIST CSF (PR.AC-4): Covers privileged access.

78.6- If No or N/A, please provide an additional explanation

79.7- Are privileged accounts monitored?

YES

NO

N/A

Explanation: Monitoring ensures that activities on privileged accounts are logged and reviewed, reducing the risk of abuse.

Risks of Incorrect Answer: Misuse of administrative privileges.

Failure to detect unauthorized or malicious activities.

Applicable Frameworks: ISO 27001 (A.12.4.1): Requires monitoring.

NIST CSF (DE.CM-3): Highlights privileged user monitoring.

79.7- If yes, how are they monitored, how often, and is this process documented?

79.7- If No or N/A, please provide an additional explanation

THANK YOU

You have successfully completed
the Access Control portion of this Assessment.

Please Press Submit
so that we can process your results

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

18-Q: Access Control

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions