Name: Episode 6_LEAST PRIVILEGE_ (AC-6)
Uploaded: 2022-09-03 01:00:01
Duration: 10 min 11 s

Question 1

What is NIST 800-53 AC-6 (Least Privilege)?

Accepted Answer

AC-6 is the control that enforces the principle of least privilege—only authorized access that’s necessary to accomplish assigned tasks. In plain terms, I’m saying you only give users (and service accounts) what they need to do the job. If they don’t need elevated rights, don’t give it to them. That’s how you keep the environment tighter and safer.

Question 2

How do you assess or test AC-6 during an SCA or self-assessment?

Accepted Answer

My approach is straightforward: obtain and examine the Access Control policy and procedures, then check the SSP for the AC-6 implementation statement. After that, I review the Access Control List and compare it to the roles and responsibilities matrix. I’m looking for mismatches like “ACL shows admin” but the matrix says the person is a regular user.

Question 3

Why is least privilege important for reducing cyber risk?

Accepted Answer

Least privilege minimizes the attack surface because you’re creating fewer high-value targets for bad actors. If a regular user doesn’t have admin rights, they can’t do as much damage—even if they have malicious intent. It also limits what an attacker can do if an account gets compromised.

Question 4

How does least privilege help prevent malware spreading across a network?

Accepted Answer

If an admin or super user has access to a lot of systems and their account gets compromised, malware can move from system A to systems B, C, and D quickly. That’s why I push limiting privileges—especially broad network access. The less reach an account has, the less your malware blast radius.

Question 5

Does AC-6 apply to service accounts and system processes?

Accepted Answer

Yes, and I call that out directly—processes acting on behalf of users are service accounts or accounts that don’t require human interaction. Least privilege isn’t just for people; it’s for processes too. You want processes operating at privileged levels no higher than necessary.

Question 6

What documents should I review for AC-6 compliance?

Accepted Answer

I start with the Access Control policy and procedure (the dash-one control), then the SSP to see how AC-6 is implemented. After that, I use evidence like the Access Control List plus a roles and responsibilities matrix. Those artifacts let you validate whether access is actually aligned to job duties.

Question 7

What should I do if roles and responsibilities don’t match the access control list?

Accepted Answer

First, I bring it to management and determine whether it’s a documentation issue or a real access issue. Then I ask questions and look for justification—like why an IT security analyst would have an approval role in a tool such as CSAM. If the justification makes sense, document it; if not, it’s a finding to fix.

Episode 6_LEAST PRIVILEGE_ (AC-6)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec