CIS Controls v8 Overview- Control 06

Our review of the CIS Controls v8 continues…and today’s post covers Control 06.

Control 06: Access Control — Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Why is this control important?

Building on CIS Control 05 Account Management, Control 06 focuses on managing what access accounts have, ensuring users only have access to the data or assets appropriate for their role which protects critical or sensitive data or functions. Accounts should be ‘least privilege’ with minimal authorization needed for the role on the enterprise asset or software.

And its Safeguards?

The control has eight (8) Safeguards that cover the key actions to establish and maintain secure configurations. The Safeguards include processes for granting and revoking access, using Multi-factor Authentication (MFA), establishing an inventory of Authentication and Authorization Systems, centralizing access control, and using role-based access control.

How is this Control Implemented?

An Access Control program is initiated based on role-based access defines and manages access requirements for each account based on: need to know, least privilege, privacy requirements, and/or separation of duties. MFA is also established for all accounts (especially administrator) and often utilize smartphone applications. Other solutions such as Privileged Access Management (PAM) and “jump-boxes” provide additional security. The Access Control program must include steps that are consistent for employees leaving the organization. Service Accounts should also be inventoried and tracked. Administrators should have separate accounts for daily functions and administrator actions. Automated IAM tools, such as SecurEnds CEM, greatly improve an organization’s ability to follow the Access Control program guidelines.

Key Reminder(s)

Like inventories for enterprise assets and software, Access Control inventory should be continually maintained to minimize an attacker’s ability to threaten an organization.

In the next post, we will look at Control 07: Continuous Vulnerability Management. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚! Search for the IAM Series for more information on that topic.

Contact Temples Consulting (SecurEnds & CIS Controls Partner) to schedule a no-cost consultation to see how SecurEnds CEM can add immediate value for your organization.

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity #securends #IAM #IdentityAccessManagement