The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner
Processes are in place to remove access to protected information assets when an individual no longer requires access
Role-based access control is utilized to support segregation of incompatible functions.