03.01.01
Account management
Create, authorize, review, monitor, and disable accounts that can access systems containing specified information.
CPCSC Level 1 Control
03.01.02Access control
CPCSC 03.01.02: Access enforcement
Make sure approved access rules are actually enforced by systems, permissions, groups, and administrative controls. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.
Formal Control Language
Official CPCSC Level 1 wording for 03.01.02. Use the Government of Canada page as the source of truth for certification or procurement submissions.
- Approved authorizations for logical access to specified information are enforced in accordance with applicable access control policies.
- Approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies.
Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.
What This Means In Plain English
The access policy has to be true in the system. If the policy says only project staff can access a folder, the folder permissions must match.
This is the practical least-privilege control. People should not have broad access because it was easier during setup or because nobody cleaned up old permissions.
For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.
How To Implement It
1
Define access groups around job role, project, contract, or data sensitivity rather than individual one-off permissions where possible.
2
Remove default broad permissions from shared drives, cloud storage, ticketing projects, repositories, and administrator consoles.
3
Use separate administrator accounts or privileged roles for admin work. Keep privileged access small, reviewed, and tied to named people.
4
Review externally shared files, links, and guest access on a routine cadence. Disable public links by default for specified information.
5
Document exceptions with owner, reason, compensating control, and expiry date.
Evidence Normally Gathered
Access group exports or screenshots.
Shared drive, cloud folder, repository, or application permission reports.
Privileged user list.
Access review notes showing permissions were checked against roles.
Exception register for elevated or unusual access.
Screenshots of external sharing restrictions.
Common Auditor Questions
How do you enforce least privilege in the tools that hold specified information?
Which accounts have administrator or owner access?
How do you know public links or guest users are not exposing in-scope data?
What is the process when someone needs temporary elevated access?
Where is the evidence that access was reviewed, not just configured once?