Assess Access Controls For A University Preparing Accreditat ✓ Solved

Posted on December 13, 2025

Assess access controls for a university preparing accreditat

Assess access controls for a university preparing accreditation under RMF using NIST 800-53/800-53A. Scenario: The university's IT staff includes CIO, Information Security Officer, System Analysts, Auditors, System Administrators, Network Administrators, Desktop Administrators, and Help Desk. Separation of duties documented; terminated employees are debriefed and physical and logical access removed. Users must sign user agreement before access; forms reviewed annually by ISO and stored digitally for three years from termination. Account lifecycles: temporary/emergency accounts terminate after 14 days; inactive accounts suspended after 45 days and removed from Active Directory after 90 days. Advanced users sign NDA; no required training. Active Directory onboarding: help desk creates ticket with signed agreement, assigns to system admin who creates account with least privilege; discretionary access controls for departments; AD contains many stale accounts and processes are not audited. System admins track login/logout and push patches; machines auto-logoff after two minutes inactivity; accounts lock after three failed logins requiring in-person help desk validation. Accreditation package will use RMF and NIST 800-53/800-53A. Start with Access Control Policy and Procedure (AC-1). Using the scenario and NIST 800-53/800-53A, assess these controls: AC-1.2, AC-2.1, AC-2.(2).1, AC-2.(3).1, AC-2(5).1, AC-3.1, AC-3(2).1, AC-3(4).1, AC-5.1, AC-6.1, AC-7.1. For each control, provide: assessment objective, evidence to examine (documents/records), test/interview steps, and a determination of Compliant or Non-Compliant with justification based on the scenario.

Paper For Above Instructions

Overview and Methodology

This assessment uses the Risk Management Framework (RMF) approach and the assessment guidance in NIST SP 800-53 and 800-53A to evaluate access control-related controls based solely on the provided university scenario (NIST SP 800-53 Rev. 5; NIST SP 800-53A). For each listed control, I state the assessment objective, identify evidence to examine, describe test/interview activities, and determine compliant/non-compliant status with justification drawn from the scenario. The baseline expectation follows NIST (policy, procedures, dissemination, technical enforcement, and continuous monitoring) and common best practices (ISO/IEC 27001; Microsoft AD guidance).

AC-1.2 — Access Control Policy and Procedures

Assessment objective: Confirm the organization has documented access control policy and procedures, assigns roles/responsibilities, and disseminates them to relevant personnel (NIST SP 800-53, AC-1; 800-53A).

Evidence to examine: Written access control policy, documented procedures, role/responsibility statements, distribution logs, ISO review records, signed user agreements repository.

Test/Interview: Interview ISO and CIO to confirm policy ownership and dissemination; review the policy document and procedure distribution list; verify signed user agreement retention and annual reviews.

Determination: Compliant. The scenario documents roles in writing, requires signed user agreements reviewed annually by the ISO, and defines onboarding/offboarding procedures — indicating formal policy and procedure elements exist and are disseminated (NIST SP 800-53 Rev.5) though continuous improvement and auditing could be strengthened.

AC-2.1 — Account Management

Assessment objective: Verify account lifecycle processes (creation, modification, disabling, removal) are implemented and enforced (NIST AC-2; 800-53A).

Evidence: Help desk tickets, Active Directory (AD) account creation/modification logs, account removal records, termination debrief forms.

Test/Interview: Examine a sample of user onboarding tickets and termination debriefs; query AD for last logon dates and removal timestamps; interview system administrators and auditors about enforcement and reviews.

Determination: Non-Compliant. Although procedures exist for onboarding and lifecycles, the scenario states AD contains many accounts of former employees and processes are not audited. Presence of stale, unremoved accounts indicates failure to enforce account removal policies (NIST AC-2 guidance).

AC-2(2).1 — Automated Account Management

Assessment objective: Confirm automated mechanisms are used for account management and integrate with AD to enforce lifecycle rules (NIST AC-2(2)).

Evidence: AD automation scripts/policies, ticketing system integration logs, scheduled automation reports.

Test/Interview: Review automation configuration, sample logs that show automated disabling/removal actions, and interviews with system administrators about AD automation.

Determination: Compliant. The organization uses Active Directory for automated account management and has defined lifecycle timeframes (14/45/90 days), indicating automated mechanisms are in place (Microsoft AD best practices; NIST AC-2(2)).

AC-2(3).1 — Account Inactivity and Suspension

Assessment objective: Verify the system suspends inactive accounts and follows defined suspension/removal periods (NIST AC-2(3)).

Evidence: AD suspension logs, policy specifying 45-day suspension and 90-day removal, exception records for retained accounts.

Test/Interview: Sample accounts inactive >45 days and >90 days; confirm whether suspension/removal occurred; interview help desk and SAs about exceptions.

Determination: Non-Compliant. While policy defines 45/90-day actions, the scenario reports many stale accounts remain in AD and processes are not audited, demonstrating non-enforcement of inactivity controls.

AC-2(5).1 — Least Privilege

Assessment objective: Ensure accounts are created with the minimum privileges necessary to perform duties (NIST AC-2(5)).

Evidence: Role-based access matrices, account role assignments, sample user privileges, help desk tickets showing assigned permissions.

Test/Interview: Review role mapping and sample accounts to confirm least privilege; interview SAs on permission assignment workflows.

Determination: Compliant. The scenario explicitly states users are assigned least privilege at account creation and discretionary access is controlled at departmental level, supporting compliance with least privilege requirements.

AC-3.1 — Access Enforcement

Assessment objective: Confirm access control mechanisms enforce approved authorizations for users and devices (NIST AC-3).

Evidence: Access control enforcement logs (NIDS/NIPS, firewall rules), access control configuration in AD and file shares, discretionary ACLs documentation.

Test/Interview: Test enforcement by attempting access patterns consistent with role boundaries (in test environment), review ACLs and enforcement logs, interview network and system admins.

Determination: Compliant. Discretionary access controls exist and implementation of AD and network enforcement mechanisms (NIPS/NIDS, firewalls) indicate effective access enforcement, although audit improvements are advised (NIST AC-3).

AC-3(2).1 — Privileged Account Controls

Assessment objective: Verify controls for privileged accounts are enforced (segregation, monitoring, approval) (NIST AC-3(2)).

Evidence: Lists of privileged accounts, NDA and role documents, privileged account activity logs, change request records.

Test/Interview: Review privileged account creation and change logs; interview System Administrators and the ISO regarding privileged account monitoring.

Determination: Partially compliant but treated as Compliant. The organization documents roles and NDAs for advanced users and tracks login/logout; however the lack of mandated training and incomplete auditing of AD processes highlight areas to strengthen privileged account governance.

AC-3(4).1 — Review of Access Control

Assessment objective: Ensure periodic review of access rights and enforcement of corrective actions (NIST AC-3(4)).

Evidence: Access review schedules and results, remediation tickets, audit logs demonstrating review activities.

Test/Interview: Validate existence of scheduled access reviews and confirm remediation actions for stale or excessive privileges; interview auditors about frequency and scope.

Determination: Non-Compliant. The scenario indicates AD processes are not audited and stale accounts remain; this shows reviews are not effectively performed or enforced.

AC-5.1 — Separation of Duties

Assessment objective: Confirm separation of duties is defined and enforced to prevent conflict of interest (NIST AC-5).

Evidence: Role/responsibility matrices, documented separation-of-duties statements, HR and IT assignment records.

Test/Interview: Review role documents and interview managers to confirm enforcement; test for overlap of conflicting privileges.

Determination: Compliant. Separation of duties is designated in writing and roles are clearly assigned, meeting the control expectation.

AC-6.1 — Least Privilege Policy Implementation

Assessment objective: Verify that least privilege policy is in place and implemented across systems (NIST AC-6).

Evidence: Policy documents, provisioning procedures, sample account privileges, help desk tickets showing justification for elevated rights.

Test/Interview: Examine provisioning workflows for justification of privileges; sample privileged account requests and approvals.

Determination: Compliant. The scenario describes least privilege assignment on account creation; policy and practice align with AC-6, though ongoing reviews should be formalized.

AC-7.1 — Unsuccessful Login Attempts and Lockout

Assessment objective: Confirm account lockout thresholds and recovery procedures are implemented and enforced (NIST AC-7).

Evidence: Account lockout configuration, help desk unlock procedures, logs showing lockouts and unlocks.

Test/Interview: Review system configuration for three failed attempts lockout; test lockout handling and help desk validation steps; interview help desk staff.

Determination: Compliant. The scenario enforces a three-attempt lockout and requires in-person validation to unlock accounts, which meets AC-7 intent (though in-person requirement may be operationally heavy).

Summary and Recommendations

Overall, the university has documented policy elements and technical controls (AD, least privilege, lockout, auto-logoff) consistent with NIST guidance (NIST SP 800-53). Key weaknesses: lack of auditing and enforcement of account removal/inactivity processes resulting in stale AD accounts (non‑compliance for several AC-2 subcontrols and AC-3(4)). Recommended remediation: schedule automated AD cleanups with tokenized exception handling, implement periodic access reviews, mandate training for advanced users, and ensure auditors have scheduled reviews and proof of action (NIST SP 800-53A; ISO/IEC 27001). These actions will close the gap between documented procedures and operational enforcement.

References

NIST. (2020). Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5
NIST. (2014). Assessing Security and Privacy Controls in Federal Information Systems and Organizations (SP 800-53A Rev. 4). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4
NIST. (2018). Guide for Applying the Risk Management Framework to Federal Information Systems (SP 800-37 Rev. 2). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2
Microsoft. (2021). Active Directory security best practices. Microsoft Docs. https://learn.microsoft.com/
ISO/IEC. (2013). ISO/IEC 27001:2013 — Information technology — Security techniques — Information security management systems — Requirements. International Organization for Standardization. https://www.iso.org/standard/54534.html
Center for Internet Security (CIS). (2021). CIS Controls v8. https://www.cisecurity.org/controls/
ENISA. (2017). Identity and Access Management (IAM) guidelines. European Union Agency for Cybersecurity. https://www.enisa.europa.eu/
SANS Institute. (2016). Access Control and Privileged Account Management Best Practices. SANS Whitepaper. https://www.sans.org/white-papers/
Gollmann, D. (2011). Computer Security (3rd ed.). Wiley. ISBN: 978-0-470-74379-8.
Sandhu, R., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-Based Access Control Models. IEEE Computer, 29(2), 38–47. https://doi.org/10.1109/2.485845

« Previous Next »

Hire Dr Jack for Homework & Academic Writing Help

Need personalised help with your homework, assignments, research papers, or dissertations? I would be happy to work with you one-to-one and support you from start to finish.

100% human-written work (no AI used) – if you ever detect AI content, I offer a full refund, no questions asked.
Zero plagiarism – I deliver original work, and if any plagiarism is found, you receive a 100% refund.
On-time delivery – your work is always completed within the agreed timeframe.
Available 24/7 – you can reach out whenever it is convenient for you.
Fixed Rate – $20 Per Page (Nothing Extra for Urgent, Title/Reference Page , Revision and many more.).

To discuss your requirements, please email me at drjack9650@gmail.com . I will respond as soon as possible.