Cybersecurity Frameworks - Cybersecurity Guides
CIS Control 05 covers Account Management which primarily focuses on the management of account credentials and authentication, including the configuration and enforcement of a password policy.
Cybersecurity Control Review: Account Management, CIS 5
Account Management is one of the shortest controls. It is fairly easy to cover and implement but is still extremely important. Creating user accounts and setting up a password policy are some of the first things organizations commonly think about and put in place when setting up a network or discussing basic security mechanisms.
It's important to be aware that CIS Control 06 covers Access Control Management, which we will discuss in an upcoming article. So be sure not to confuse this control which covers authentication and not access control configurations and requirements. These are separate controls for a reason, because they are distinctly different parameters and mechanisms, but they are back-to-back because they go hand-in-hand and work together. You must have Account Management (authentication) first, before you can address Access Control (authorization) second. To state it another way, authentication proves someone's identity, and then authorization grants that user access to the systems and data that have been approved and provisioned.
Here is a list of each Safeguard included in CIS Control 05:
5.1 Establish and Maintain an Inventory of Accounts - An inventory should be created, updated and reviewed on a quarterly basis, at a minimum. The inventory should include key information such as the account creation date, date of last login or activity, the name assigned to the account, the purpose or role of the account, etc. The inventory also needs to include all administrator accounts and service accounts. Don't forget to create inventories for all systems that have separate accounts, such as SaaS applications, that are managed separately and not tied back to a central system with SSO.
5.2 Use Unique Passwords - This is the Safeguard that connects to the organization's password policy. There are basic requirements here, but you can follow the CIS Benchmark, Password Guidance, which provides a thorough documentation of all the latest best practices and configuration requirements that should be followed.
Some key elements include, creating passwords with a minimum complexity and length set (typically 10 characters, including 1 uppercase, 1 lowercase, and 1 number or special character).
Passwords should never be shared, written down, or stored in an insecure way.
Passwords should be reset on an annual basis, unless it is believed the password may have been compromised, in which it should be reset immediately.
5.3 Disable Dormant Accounts - Any account that is unnecessary or no longer needed should be disabled. Any account that has been inactive for 45 days should also be disabled. Keep in mind that it is best practice to disable accounts and move them into an isolated group (e.g., Organizational Unit in AD), but NOT deleted. If the account is deleted and needs to be reviewed for auditing purposes or re-enabled for access at a later date, that will cause an issue.
5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts - All administrators should have their own dedicated accounts and they should be separate from the account they use for normal daily use. This will reduce the risk of compromising accounts with privileged access.
5.5 Establish and Maintain an Inventory of Service Accounts - This is often ignored and these accounts are forgotten about. It is very important to have a complete list of ALL Service Accounts that are active for any of the systems you use. You should include what systems the account is used for and the purpose, role and/or permissions the account has. This is extremely helpful when conducting an audit of accounts and permissions, as well as, determining the impact of changes related to the systems they are used for.
5.6 Centralize Account Management - An example of this is Microsoft Active Directory which is very common within organizations today. In order to effectively manage, maintain and audit accounts, a solution like this is necessary for all businesses.
As you may have noticed, there is no mention of Multi-Factor Authentication in this control. And although that is considered an authentication mechanism, it is covered in the next control for Access Control Management.
You can also check out one of our recent articles on updating your password policy here.
See the list of references below
Review these sources for more information
CIS Controls - View the latest CIS Controls documentation for Version 8. https://www.cisecurity.org/controls
CIS Benchmark, Password Policy Guide https://www.cisecurity.org/insights/white-papers/cis-password-policy-guide