Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Why Is This Control Critical?
It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through 'hacking' the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public breach), social engineering a user to give their password, or using brute force to guess a password. Administrative, or highly privileged, accounts are a particular target, because they allow attackers to add accounts, change configurations, read and modify stored data, impersonate regular users, and conduct data theft.
Related Policy Templates
Safeguards (6)
| ID | Title | Asset Type | Function | Implementation Groups |
|---|---|---|---|---|
| 5.1 | Establish and Maintain an Inventory of Accounts | Users | Identify |
IG1
IG2
IG3
|
| 5.2 | Use Unique Passwords | Users | Protect |
IG1
IG2
IG3
|
| 5.3 | Disable Dormant Accounts | Users | Respond |
IG1
IG2
IG3
|
| 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | Users | Protect |
IG1
IG2
IG3
|
| 5.5 | Establish and Maintain an Inventory of Service Accounts | Users | Identify |
IG2
IG3
|
| 5.6 | Centralize Account Management | Users | Protect |
IG2
IG3
|