I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
This control includes thirteen (13) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are three (3) IG1 controls and twelve (12) IG2 controls. This means that, at a minimum, we want to:
- Disable any account that cannot be associated with a business process or business owner.
- Automatically disable dormant accounts after a set period of inactivity.
- Automatically lock workstation sessions after a standard period of inactivity.
This is the heaviest control in all of CIS when looking at the number of controls required through IG1 & IG2. Luckily, many organizations already use Active Directory for user access management, which can be configured to address most of these controls.
Implementation can certainly become complicated as more and more services are moved to the cloud in a hosted instance – being able to configure Single Sign On (SSO) will be critical in making this control manageable at scale. SSO allows you to centralized both the authentication and MFA data flows. This ensures a smoother
Several of these items are not “new” ideas in the sense of having a strong password policy & authentication process that addresses credential transmission and storage. This would also include configurations for things like a session timeout and user inactivity time out – all things you’ll be plenty familiar with if you’re in any sort of regulated environment.
Relevant News Stories
The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #16 page here.