Standards Group:
YALE-MSS-9: Authentication and Authorization
YALE-MSS-9.4: Grant privileges to IT Systems and data according to the principle of least privilege
Low Risk Endpoint
Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
The principle of least privilege is a concept used to minimize access to data and systems. This principle only grants accounts the access they need to perform their function. For example, a user account is only granted the access needed to perform their routine work. Access is not granted beyond their routine or daily responsibilities.
This standard ensures that we grant access to Yale Data and IT Systems only to those who need it. This standard applies to user accounts, administrative accounts, and service accounts. These accounts are defined below:
- User accounts - A user accounts consist of a username and password. A user account grants an individual end-user access to the IT System.
- Administrative accounts - Administrative accounts consist of a username and password. An administrative accounts grants an individual privileged access to the IT System. Privileged access is access to make changes to the overall IT System.
- Service accounts - Service accounts are special user accounts used by a system (e.g an application). The system uses the service account to interact with the operating system. These types of accounts are typically used for automation.
To apply this standard, consider the following:
- What access does the typical end-user need?
- Who is responsible for managing account access?
- Are you limiting access to the data and/or system only to those who need it?