CIS Control 6 merges some aspects of CIS Control 4 (admin privileges) and CIS Control 14 (access based on need to know) into a single access control management group. Access control management is a critical component in maintaining information and system security, restricting access to assets based on role and need. It is important to grant, refuse, and remove access in a standardized, timely, and repeatable way across an entire organization. Privileged accounts, such as administrators, should be protected with multi-factor authentication. Enforcing and maintaining access control policies can be made significantly less painful with automated tools. In the same vein as protecting data assets, users and service accounts are also assets that need to be protected.

Many of the Safeguards in Control 6 are foundational, and even the smallest organizations should implement them. Organizations with more resources or assets that are subject to regulatory and compliance oversight or who may face threats from sophisticated adversaries should strive to implement centralized role-based access control measures.

DevOps Experience

CIS Benchmarks, which are available for many product families, are best-practice security configuration guides that are mapped to the controls and walk you through configuration remediation step-by-step.

Key Takeaways for Control 6

An access control management plan should at least implement processes to:

  1. Ensure that access is granted and revoked in a systematic and preferably automated way.
  2. Enable multi-factor authentication for all users with privileged or remote access as well as externally-exposed or third-party applications.

A more comprehensive plan should incorporate centralization, automation, a maintained inventory, and role-based access.

Safeguards for Control 6

6.1) Establish an Access Granting Process

Description: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

Notes: This Implementation Group 1 (IG1) Safeguard intends to (Read more...)