IG2 IG3

Centralize Access Control

Control Group: 6. Access Control Management

Asset Type: Users

Security Function: Protect

Description

Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Define access control requirements based on least privilege

7

Implement role-based access control (RBAC)

8

Configure access review and recertification process

9

Monitor and audit privileged access usage

10

Select centralized management platform

11

Integrate all in-scope systems and data sources

12

Configure dashboards and reporting

Tool Recommendations

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Ping Identity Gartner MQ Leader, Access Management 2024

Enterprise identity security platform with SSO, MFA, directory, and API security for workforce and customer identity

Ping Identity (Thales) · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Inconsistent Access Controls Exploited Across Systems

Confidentiality

Without centralized access control, different systems enforce different policies; attackers target the system with the weakest authentication to gain initial access.

Unable to Enforce Enterprise-Wide Access Policies

Integrity

Decentralized access control prevents consistent enforcement of conditional access, geographic restrictions, or risk-based authentication across all enterprise applications.

Vulnerabilities (When Safeguard Absent)

Decentralized Access Control Without SSO

Without centralized access control via directory service or SSO, each application manages its own authentication independently, creating inconsistent security enforcement.

No Unified Visibility into Access Events

Decentralized access control means authentication events are scattered across individual systems, making it impossible to detect coordinated attacks or anomalous access patterns.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Record	Access review/recertification records with sign-off	Quarterly
Technical	Access control configuration evidence (RBAC settings, group memberships)	Reviewed quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 6

6.1 Establish an Access Granting Process

6.2 Establish an Access Revoking Process

6.3 Require MFA for Externally>Exposed Applications

6.4 Require MFA for Remote Network Access

6.5 Require MFA for Administrative Access

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems

6.8 Define and Maintain Role>Based Access Control