GRCWatch
Sign inStart free trial

CIS Control 3.3: Configure Data Access Control Lists

Data access control lists (ACLs) are your first line of defense against unauthorized data exposure. This CIS control requires you to implement granular permission controls across all systems—from local file systems to cloud databases—ensuring users access only what they need. Getting this right prevents insider threats, limits breach impact, and demonstrates due diligence to auditors.

What this means

Control 3.3 mandates implementing access control lists (ACLs) that restrict data based on the principle of least privilege—each user gets permission only for resources essential to their role. This applies across the entire data landscape: operating system file systems, remote storage, databases, APIs, and applications. ACLs should be documented, reviewed regularly, and enforce explicit deny rules where appropriate.

How to comply

  1. 1.Map all data repositories: inventory file systems, databases, cloud storage, APIs, and applications that store or process sensitive data
  2. 2.Define role-based access: document which job functions require access to specific data assets and at what permission levels (read, write, execute, delete)
  3. 3.Implement ACLs technically: configure permissions in file systems (NTFS, ext4), databases (role-based access), cloud platforms (IAM), and applications (application-level controls)
  4. 4.Apply least privilege: grant minimum necessary permissions; default to deny and explicitly allow only required access
  5. 5.Document and maintain: keep current records of all ACL configurations, ownership, and changes; review quarterly for obsolete access rights
  6. 6.Test access restrictions: verify ACLs work as intended through user testing and access audits
  7. 7.Remove stale access: deactivate accounts and remove permissions for terminated users, transferred employees, and deprecated services

Evidence auditors look for

  • Screenshot of NTFS file system ACL showing user groups and permission levels (read, modify, full control)
  • Database role assignments showing which users/service accounts have SELECT, INSERT, UPDATE, DELETE permissions by table
  • Cloud IAM policy documentation (AWS IAM roles, Azure RBAC, Google Cloud IAM) listing principal-to-resource-to-action mappings
  • Application user role matrix mapping user accounts to functional roles with corresponding data access permissions
  • Access review logs showing quarterly validation of ACL configurations and removal of obsolete permissions
  • Change management records documenting ACL modifications, approvals, and business justifications

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates ACL discovery across your file systems, databases, and cloud platforms, identifies over-privileged users and orphaned accounts, and tracks permission changes for audit evidence—eliminating manual spreadsheets and reducing access control blind spots.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 3.1 - Inventory of Data AssetsCIS 3.2 - Address Unauthorized DataCIS 6.1 - Establish an Access Control PolicyNIST AC-2 - Account ManagementNIST AC-3 - Access Enforcement