Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Why Is This Control Critical?
Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on managing what access these accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.
Related Policy Templates
Safeguards (8)
| ID | Title | Asset Type | Function | Implementation Groups |
|---|---|---|---|---|
| 6.1 | Establish an Access Granting Process | Users | Protect |
IG1
IG2
IG3
|
| 6.2 | Establish an Access Revoking Process | Users | Protect |
IG1
IG2
IG3
|
| 6.3 | Require MFA for Externally>Exposed Applications | Users | Protect |
IG1
IG2
IG3
|
| 6.4 | Require MFA for Remote Network Access | Users | Protect |
IG1
IG2
IG3
|
| 6.5 | Require MFA for Administrative Access | Users | Protect |
IG1
IG2
IG3
|
| 6.6 | Establish and Maintain an Inventory of Authentication and Authorization Systems | Users | Identify |
IG2
IG3
|
| 6.7 | Centralize Access Control | Users | Protect |
IG2
IG3
|
| 6.8 | Define and Maintain Role>Based Access Control | Data | Protect |
IG3
|