AC-1(a)(1)[a][1] - Determine if the organization develops and documents an access control policy that addresses purpose.                                                                                                           
AC-1(a)(1)[a][2] - Determine if the organization develops and documents an access control policy that addresses scope.
AC-1(a)(1)[a][3] - Determine if the organization develops and documents an access control policy that addresses roles.
AC-1(a)(1)[a][4] - Determine if the organization develops and documents an access control policy that addresses responsibilities.
AC-1(a)(1)[a][5] - Determine if the organization develops and documents an access control policy that addresses management commitment.
AC-1(a)(1)[a][6] - Determine if the organization develops and documents an access control policy that addresses coordination among  organizational entities.
AC-1(a)(1)[a][7] - Determine if the organization develops and documents an access control policy that addresses compliance.                                                                                                          
AC-1(a)(1)[b] - Determine if the organization defines personnel or roles to whom the access control policy are to be disseminated
AC-1(a)(1)[c] - Determine if the organization disseminates the access control policy to organization-defined personnel or roles.
AC-1(a)(2)[a] - Determine if the organization  develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls.
AC-1(a)(2)[b] - Determine if the organization defines personnel or roles to whom the procedures are to be disseminated.
AC-1(a)(2)[c] - Determine if the organization disseminates the procedures to organization-defined personnel or roles.
AC-1(b)(1)[a] - Determine if the organization defines the frequency to review and update the current access control policy.
AC-1(b)(1)[b] - Determine if the organization reviews and updates the current access control policy with the organization-defined frequency.
AC-1(b)(2)[a] - Determine if the organization defines the frequency to review and update the current access control procedures.
AC-1(b)(2)[b] - Determine if the organization reviews and updates the current access control procedures with the organization-defined frequency.

11/01/14

Documentation/Evidence Requested

TimeAuthorComment
October 28, 2014 00:001 cherry cheesecake
October 28, 2014 00:00chocolate chip cookie
October 29, 2014 18:46markdddd
November 3, 2014 13:06johnfood
October 29, 2014 18:46markdddd
November 3, 2014 13:06johnfood

Evidence/Method

FilenameURL
asset listhttp://www.google.com/
dog and poney showhttp://www.cnn.com/
computerhttp://www.newegg.com
old emailhttps://www.hotmail.com
TimeAuthorComment
October 28, 2014 00:001 cherry cheesecake
October 28, 2014 00:00chocolate chip cookie
October 29, 2014 18:46markdddd
November 3, 2014 13:06johnfood
October 29, 2014 18:46markdddd
November 3, 2014 13:06johnfood