CIS Control 16

CIS Control 16: Account Monitoring & Control:

• Actively manage the life cycle of system and application accounts — their creation, use, dormancy, deletion — in order to minimize opportunities for attackers to leverage them.

Why Is This CIS Control Critical?

• Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making the discovery of attacker behavior difficult for security personnel watchers.
• Accounts of contractors and employees who have been terminated and accounts formerly set up for Red Team testing (but not deleted afterward) have often been misused in this way.

Procedures & Tools for Account Monitoring & Control:

• Security personnel can configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access to various systems.
• Accounts must also be tracked very closely.
• Any account that is dormant must be disabled and eventually removed from the system.
• All active accounts must be traced back to authorized users of the system, and they should utilize multi-factor authentication.
• Users must also be logged out of the system after a period of inactivity to minimize the possibility of an attacker using their system to extract information from the organization.

CIS Controls Alignment With NIST SP 800–53R4 CSF:

This mapping demonstrates connections between NIST SP 800–53r4 Cybersecurity Framework (Account Management Control) and the CIS Controls Version 7.1. (CIS Control 16;- Account Monitoring & Control).

CIS Control 16: Account Monitoring & Control Mapped To NIST SP 800–53r4 (AC-2 ACCOUNT MANAGEMENT)

NIST SP 800–53 Revision 4

• AC-2 ACCOUNT MANAGEMENT
• Control: The organization:
• a. Identifies and selects the following types of information system accounts to support organizational missions/business functions:-
• b. Assigns account managers for information system accounts.
• c. Establishes conditions for group and role membership.
• d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account.
• e. Requires approvals by organization-defined personnel or roles for requests to create information system accounts.
• Creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions.
• g. Monitors the use of information system accounts.
• h. Notifies account managers:
• 1- When accounts are no longer required.
• 2- When users are terminated or transferred, and
• 3- When individual information system usage or need-to-know changes.
• i. Authorizes access to the information system based on:
• 1- Valid access authorization.
• 2- Intended system usage, and
• 3- Other attributes as required by the organization or associated missions/business functions.
• j. Reviews accounts for compliance with account management requirements based on organization-defined frequency and
• k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Control Supplemental Guide:

• The identification of authorized users of the information system and the specification of access privileges reflect the requirements in other security controls in the security plan.
• Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access.
• Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both
• Temporary and emergency accounts are accounts intended for short-term use.
• Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.
• Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes.

Control Enhancement:

1. AC-2 (1). The organization employs automated mechanisms to support the management of information system accounts.
2. AC-2 (2). The information system automatically removes, disables temporary and emergency accounts after organization-defined time periods for each type of account.
3. AC-2 (3). The information system automatically disables inactive accounts after an organization-defined time period
4. AC-2 (4). The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies organization-defined personnel or roles
5. AC-2 (5). The organization requires that users log out when an organization-defined time-period of expected inactivity or description of when to log out.
6. AC-2 (6). The information system implements dynamic privilege management capabilities based on an organization-defined list of dynamic privilege management capabilities.
7. AC-2 (7). The organization:
8. AC-2 (7) (a). Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
9. AC-2 (7) (b). Monitors privileged role assignments; and
10. AC-2 (7) ©. Takes organization-defined actions when privileged role assignments are no longer appropriate.
11. AC-2 (8). The information system creates organization-defined information system accounts dynamically.
12. AC-2 (9). The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.
13. AC-2 (10). The information system terminates shared/group account credentials when members leave the group.
14. AC-2 (11). The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
15. AC-2 (12). The organization:
16. AC-2 (12) (a). Monitors information system accounts for organization-defined atypical usage,
17. AC-2 (12) (b). Reports atypical usage of information system accounts to organization-defined personnel or roles.
18. AC-2 (13). The organization disables accounts of users posing a significant risk within an organization-defined time period of discovery of the risk.

References: None

Priority & Baseline Allocation: