Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Why Is This Control Critical?
It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through 'hacking' the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public breach), social engineering a user to give their password, or using brute force to guess a password. Administrative, or highly privileged, accounts are a particular target, because they allow attackers to add accounts, change configurations, read and modify stored data, impersonate regular users, and conduct data theft.
Related Policy Templates
Safeguards (6)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 5.1 | Establish and Maintain an Inventory of Accounts | Identify |
IG1
IG2
IG3
|
7 | 5 |
| 5.2 | Use Unique Passwords | Protect |
IG1
IG2
IG3
|
8 | 4 |
| 5.3 | Disable Dormant Accounts | Respond |
IG1
IG2
IG3
|
6 | 3 |
| 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | Protect |
IG1
IG2
IG3
|
7 | 4 |
| 5.5 | Establish and Maintain an Inventory of Service Accounts | Identify |
IG2
IG3
|
7 | 5 |
| 5.6 | Centralize Account Management | Protect |
IG2
IG3
|
5 | 3 |
Audit Verification Details
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Password policies meet or exceed defined complexity and length requirements.
Identity provider password policy configuration
Changes to protection controls follow the change management process.
Change tickets, approval records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Response procedures and playbooks are documented and current.
Response playbooks with review dates
Response procedures have been exercised through tabletop or simulation within the past 12 months.
Exercise reports, participant sign-off, lessons learned
Incident response actions are logged and tracked to completion.
Incident tickets, action item tracking, post-incident reviews
Inactive and dormant accounts are identified and disabled per policy.
Account lifecycle reports, disabled account audit
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Email authentication (SPF, DKIM, DMARC) is configured and passing.
DNS record verification, DMARC aggregate reports
Email filtering is active for attachments and URLs.
Email gateway configuration, filtering statistics
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Email security configuration (SPF, DKIM, DMARC records) | Verified quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Centralize account management through a directory or identity service.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |