6: Access Control Management
Threats Addressed:
Control Statement
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
6.1: Establish an Access Granting Process
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
6.2: Establish an Access Revoking Process
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
6.3: Require MFA for Externally-Exposed Applications
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
6.4: Require MFA for Remote Network Access
Require MFA for remote network access.
6.5: Require MFA for Administrative Access
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
6.6: Establish and Maintain an Inventory of Authentication and Authorization Systems
Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
6.7: Centralize Access Control
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
6.8: Define and Maintain Role-Based Access Control
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.