CIS Control 16
4 min readDec 8, 2020
CIS Control 16: Account Monitoring & Control:
- Actively manage the life cycle of system and application accounts — their creation, use, dormancy, deletion — in order to minimize opportunities for attackers to leverage them.
Why Is This CIS Control Critical?
- Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making the discovery of attacker behavior difficult for security personnel watchers.
- Accounts of contractors and employees who have been terminated and accounts formerly set up for Red Team testing (but not deleted afterward) have often been misused in this way.
Procedures & Tools for Account Monitoring & Control:
- Security personnel can configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access to various systems.
- Accounts must also be tracked very closely.
- Any account that is dormant must be disabled and eventually removed from the system.
- All active accounts must be traced back to authorized users of the system, and they should utilize multi-factor authentication.
- Users must also be logged out of the system after a period of inactivity to minimize the possibility of an attacker using their system to extract information from the organization.
CIS Controls Alignment With NIST SP 800–53R4 CSF:
This mapping demonstrates connections between NIST SP 800–53r4 Cybersecurity Framework (Account Management Control) and the CIS Controls Version 7.1. (CIS Control 16;- Account Monitoring & Control).
CIS Control 16: Account Monitoring & Control Mapped To NIST SP 800–53r4 (AC-2 ACCOUNT MANAGEMENT)
NIST SP 800–53 Revision 4
- AC-2 ACCOUNT MANAGEMENT
- Control: The organization:
- a. Identifies and selects the following types of information system accounts to support organizational missions/business functions:-
- b. Assigns account managers for information system accounts.
- c. Establishes conditions for group and role membership.
- d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account.
- e. Requires approvals by organization-defined personnel or roles for requests to create information system accounts.
- Creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions.
- g. Monitors the use of information system accounts.
- h. Notifies account managers:
- 1- When accounts are no longer required.
- 2- When users are terminated or transferred, and
- 3- When individual information system usage or need-to-know changes.
- i. Authorizes access to the information system based on:
- 1- Valid access authorization.
- 2- Intended system usage, and
- 3- Other attributes as required by the organization or associated missions/business functions.
- j. Reviews accounts for compliance with account management requirements based on organization-defined frequency and
- k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
Control Supplemental Guide:
- The identification of authorized users of the information system and the specification of access privileges reflect the requirements in other security controls in the security plan.
- Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access.
- Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both
- Temporary and emergency accounts are accounts intended for short-term use.
- Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
- Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes.
Control Enhancement:
- AC-2 (1). The organization employs automated mechanisms to support the management of information system accounts.
- AC-2 (2). The information system automatically removes, disables temporary and emergency accounts after organization-defined time periods for each type of account.
- AC-2 (3). The information system automatically disables inactive accounts after an organization-defined time period
- AC-2 (4). The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies organization-defined personnel or roles
- AC-2 (5). The organization requires that users log out when an organization-defined time-period of expected inactivity or description of when to log out.
- AC-2 (6). The information system implements dynamic privilege management capabilities based on an organization-defined list of dynamic privilege management capabilities.
- AC-2 (7). The organization:
- AC-2 (7) (a). Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
- AC-2 (7) (b). Monitors privileged role assignments; and
- AC-2 (7) ©. Takes organization-defined actions when privileged role assignments are no longer appropriate.
- AC-2 (8). The information system creates organization-defined information system accounts dynamically.
- AC-2 (9). The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.
- AC-2 (10). The information system terminates shared/group account credentials when members leave the group.
- AC-2 (11). The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
- AC-2 (12). The organization:
- AC-2 (12) (a). Monitors information system accounts for organization-defined atypical usage,
- AC-2 (12) (b). Reports atypical usage of information system accounts to organization-defined personnel or roles.
- AC-2 (13). The organization disables accounts of users posing a significant risk within an organization-defined time period of discovery of the risk.
References: None
Priority & Baseline Allocation: