AC.L1-B.1.II
Transaction & Function Control

FCI Data

Security Requirement

Limit information system access to the types of transactions and functions that authorized users are permitted to execute

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Users may only access systems within their role; data stewards manage access permissions aligned with job duties and contracts.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.AA-04 - Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List the processes and controls used to limit and control access to users and processes between internal systems and external systems. External systems can include systems external to the USU network (internet) or external to a private internal network.
  • List any additional process or procedures you have that helps meet the control’s security requirement.

Document How

  • the types of transactions and functions that authorized users are permitted to execute are defined
  • system access is limited to the defined types of transactions and functions for authorized users.

Example

quote block

Account Management & Authentication Controls

  • Each USU employee is issued a unique A# (Anumber), which serves as their primary user identity for accessing university IT systems.
  • Authentication to all FCI-related systems is enforced through Microsoft Entra ID (Azure AD) Single Sign-On (SSO) and requires Multi-Factor Authentication (MFA).
  • Privileged accounts (e.g., system administrators) must use dedicated admin accounts separate from their daily user accounts.
Access Approval & Least Privilege Enforcement
  • Access to FCI-related systems is granted on a need-to-know basis and follows a formal approval process requiring management and data owner authorization.
  • Users are assigned roles based on job function, and access is restricted to only the minimum necessary privileges via Azure AD role-based access control (RBAC) and Active Directory security groups.
  • Privileged access is reviewed quarterly by project administrators to ensure compliance with least privilege principles.
Device & Endpoint Security Enforcement
  • Only university-managed devices that meet compliance requirements (e.g., updated operating system, endpoint security software, encrypted storage) are allowed to access FCI.
  • Remote access is restricted to VPN, which enforces device compliance checks before allowing a connection to internal systems.
  • Network segmentation ensures that FCI-related systems are isolated from general-use networks using firewalls and VLAN segmentation.
Onboarding & Offboarding Procedures
  • New users must complete security awareness training before gaining access to FCI-related systems.
  • When an employee separates from the university, account deactivation is automated via HR system integration with Entra ID, ensuring timely removal of access.
  • Departing employees’ privileged accounts are manually reviewed and decommissioned within 24 hours to prevent unauthorized access.
Monitoring & Audit Logging
  • All authentication events are logged and monitored in the university’s SIEM (Security Information and Event Management) system.
  • Annual access reviews are conducted to ensure users maintain only necessary permissions.

quote block

Entra ID (Azure AD) & Active Directory

What it does:
  • Centralized identity and authentication management.
How it helps a researcher:
  • System access, roles, and permissions can be restricted to only those authorized users which are members of a specific group controlled and audited by Entra ID.
Example:
  • A system used for research uses an Entra ID group containing members of the research team to grant access and denies access to anyone not a member of that group. Another group grants elevated access to a subset of the team.

Enterprise Firewall and Intrusion Prevention System (IPS)

What it does:
  • Network segmentation, access control, and traffic filtering.
How it helps a researcher:
  • Protects systems from unwanted or unauthorized network traffic, regardless of source user.
Example:
  • A system which should not allow Remote Desktop access can have RDP access blocked at the network level so that it cannot be used even if users enable it locally on the system.

Box.usu.edu (box.com) for Institutional Data Storage

What it does:
  • Provides a secure method of data storage and sharing.
How it helps a researcher:
  • Access to each resource in Box can be granularly controlled so that only certain users can read or write to given files and folders.
Example:
  • A research team collaborates with another university and sets up a write-only folder for external members. The data is accessible only to the six internal team members.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review access control policies, role/group configurations, and system permission settings.
  • Interview:
    • Ask administrators how they define roles and restrict access to only needed functions.
  • Test:
    • Simulate user access to verify that non-privileged accounts cannot execute unauthorized functions.

Objects (examples of items you could present to the auditor)

  • Role-Based Access Policy: Documentation showing how access and function restrictions are implemented by role.
  • User Group Listings: Active Directory or Azure AD exports showing user group assignments.
  • Access Control Matrix: A spreadsheet or document mapping user roles to allowed transactions or actions.
  • System Configuration Snapshots: Screenshots showing permission settings within systems or applications.
  • Privilege Review Records: Logs or records from periodic reviews validating user access permissions.
  • Request/Approval Forms: Evidence of how functional access was formally requested and approved.
  • Change Management Logs: Audit trails for changes to roles or access permissions.
  • Offboarding Checklist: Documentation confirming that function-based access is removed or adjusted when roles change or users leave.