03.01.05 - Least Privilege

Least privilege requires that users, processes, and devices be granted only the access necessary to perform their assigned tasks, and no more. Organizations must configure permissions, roles, and authorizations to restrict system functionality and data handling to the minimal level needed for legitimate operations, and regularly review and adjust these privileges. This control helps reduce the risk of accidental or intentional misuse of controlled unclassified information.