Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Why Is This Control Critical?
Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on managing what access these accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.
Related Policy Templates
Safeguards (8)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 6.1 | Establish an Access Granting Process | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 6.2 | Establish an Access Revoking Process | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 6.3 | Require MFA for Externally>Exposed Applications | Protect |
IG1
IG2
IG3
|
9 | 6 |
| 6.4 | Require MFA for Remote Network Access | Protect |
IG1
IG2
IG3
|
7 | 4 |
| 6.5 | Require MFA for Administrative Access | Protect |
IG1
IG2
IG3
|
9 | 6 |
| 6.6 | Establish and Maintain an Inventory of Authentication and Authorization Systems | Identify |
IG2
IG3
|
11 | 7 |
| 6.7 | Centralize Access Control | Protect |
IG2
IG3
|
8 | 5 |
| 6.8 | Define and Maintain Role>Based Access Control | Protect |
IG3
|
8 | 5 |
Audit Verification Details
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Changes to protection controls follow the change management process.
Change tickets, approval records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Changes to protection controls follow the change management process.
Change tickets, approval records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Require MFA for remote network access.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Changes to protection controls follow the change management process.
Change tickets, approval records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Changes to protection controls follow the change management process.
Change tickets, approval records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Inventory tool is deployed and all required data fields are populated.
Inventory tool screenshot, exported data with populated fields
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
Process exists to identify and remediate unauthorized or unmanaged items.
Exception reports, unauthorized asset remediation records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Technical | Asset/software inventory export with required fields populated | Exported quarterly for review |
| Record | Inventory review meeting minutes or sign-off | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
Changes to protection controls follow the change management process.
Change tickets, approval records
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
Changes to protection controls follow the change management process.
Change tickets, approval records
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |