Configure Data Access Control Lists
Description
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
Implementation Checklist
Tool Recommendations
Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management
Microsoft · Per-user subscription (E5/standalone)
Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection
Broadcom · Enterprise license
Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint
Netskope · Per-user subscription
Data-centric security platform with DLP across endpoint, network, cloud, and email with risk-adaptive protection
Forcepoint · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Unauthorized Data Access by Overprivileged Users
ConfidentialityUsers with excessive file system, database, or application permissions access sensitive data beyond their need-to-know, increasing insider threat risk and breach blast radius.
Lateral Movement via Open File Shares
ConfidentialityAttackers who compromise a single user account gain access to broadly shared file systems and databases lacking access control lists, enabling rapid data harvesting.
Data Tampering by Unauthorized Parties
IntegrityWithout proper access control lists, unauthorized users or compromised accounts can modify critical business data, financial records, or configuration files.
Vulnerabilities (When Safeguard Absent)
Overly Permissive Data Access Permissions
Without need-to-know-based access control lists, data repositories default to broad access, granting users permissions far exceeding their role requirements.
Inconsistent Access Controls Across Data Stores
Without a policy-driven ACL configuration, access permissions vary inconsistently across file systems, databases, and applications with no unified enforcement.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |