Control
ID
Control Description Data Protection Classification
Level 1 Level 2 Level 3 Level 4
AC-1  Limit system access to authorized users, processes acting on
behalf of authorized users, and devices (including other systems).
essential essential essential essential
AC-2 Limit system access to the types of transactions and functions. recommended recommended essential essential
AC-3 Control the flow of the University’s data in accordance with approved authorizations. recommended required essential essential
AC-5 Employ the principle of least privilege, including for specific security functions and
privileged accounts.
recommended recommended essential essential
AC-6 Use non-privileged accounts or roles when accessing nonsecurity functions. recommended recommended essential essential
AC-7 Prevent non-privileged users from executing privileged functions and capture
the execution of such functions in audit logs.
required required essential essential
AC-8 Limit unsuccessful logon attempts. recommended recommended essential essential
AC-9 Provide privacy and security notices consistent with applicable University data rules. required required required essential
AC-11 Terminate (automatically) a user session after a defined condition. optional recommended required essential
AC-12 Monitor and control remote access sessions. recommended required essential essential
AC-13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. recommended required essential essential
AC-14 Route remote access via managed access control points. recommended required essential essential
AC-16 Authorize wireless access prior to allowing such connections. essential essential essential essential
AC-17 Protect wireless access using authentication and encryption. essential essential essential essential