CIS Control 6 merges some aspects of CIS Control 4 (admin privileges) and CIS Control 14 (access based on need to know) into a single access control management group. Access control management is a critical component in maintaining information and system security, restricting access to assets based on role and need. It is important to grant, refuse, and remove access in a standardized, timely, and repeatable way across an entire organization. Privileged accounts, such as administrators, should be protected with multi-factor authentication. Enforcing and maintaining access control policies can be made significantly less painful with automated tools. In the same vein as protecting data assets, users and service accounts are also assets that need to be protected.
Many of the Safeguards in Control 6 are foundational, and even the smallest organizations should implement them. Organizations with more resources or assets that are subject to regulatory and compliance oversight or who may face threats from sophisticated adversaries should strive to implement centralized role-based access control measures.
CIS Benchmarks, which are available for many product families, are best-practice security configuration guides that are mapped to the controls and walk you through configuration remediation step-by-step.
Key Takeaways for Control 6
An access control management plan should at least implement processes to:
- Ensure that access is granted and revoked in a systematic and preferably automated way.
- Enable multi-factor authentication for all users with privileged or remote access as well as externally-exposed or third-party applications.
A more comprehensive plan should incorporate centralization, automation, a maintained inventory, and role-based access.
Safeguards for Control 6
6.1) Establish an Access Granting Process
Description: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
Notes: This Implementation Group 1 (IG1) Safeguard intends to protect enterprise assets, ensuring that users are provisioned appropriate access in a regulated manner. Every organization should implement this Safeguard.
6.2) Establish an Access-Revoking Process
Description: Establish and follow a process, preferably automated, for revoking access to enterprise assets through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts instead of deleting accounts may be necessary to preserve audit trails.
Notes: This IG1 Safeguard also intends to protect enterprise assets by ensuring that user access is deprovisioned in a regulated manner. Every organization should implement this Safeguard.
6.3) Require MFA for Externally-Exposed Accounts
Description: Require all externally exposed or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Notes: This IG1 Safeguard intends to protect accounts by requiring at least a second authorization mechanism. Every organization should implement this Safeguard.
6.4) Require MFA for Remote Network Access
Description: Require MFA for remote network access.
Notes: This IG1 Safeguard intends to protect enterprise assets by requiring users accessing the network remotely to have multi-factor authentication. Every organization should implement this Safeguard
6.5) Require MFA for Administrative Access
Description: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Notes: This IG1 Safeguard intends to protect enterprise assets by requiring privileged users, such as administrator accounts, using multi-factor authentication. Every organization should implement this Safeguard.
6.6) Establish and Maintain an Inventory of Authentication and Authorization Systems
Description: Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory at minimum annually or more frequently.
Notes: This Implementation Group 2 (IG2) Safeguard intends to supplement the protection of other control Safeguards within organizations that have increased operational complexity. In larger or more complex organizations, authentication and authorization systems should be maintained and inventoried on a systematic and regular basis. Organizations that have regulatory compliance burdens or store and process sensitive client data should implement this Safeguard.
6.7) Centralize Access Control
Description: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Notes: This IG2 Safeguard intends to protect enterprise assets by ensuring that access controls are centralized, making them easier to automate and maintain. Organizations that have increased operational complexity, have regulatory compliance burdens, or store and process sensitive client data should implement this Safeguard.
6.8) Define and Maintain Role-Based Access Control
Description: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized on a recurring schedule at a minimum annually, or more frequently.
Notes: This Implementation Group 3 (IG3) Safeguard intends to protect enterprise assets by ensuring access rights are role-based and maintained in a standardized and reliable manner. Organizations with assets that are subject to regulatory and compliance oversight as well as those targeted by sophisticated adversaries such as APTs should implement this Safeguard.
Read more about the 18 CIS Controls here:
CIS Control 6: Access Control Management