CIS Control 16: Account Monitoring and Control
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
16.1: Maintain an Inventory of Authentication Systems
- Maintain an inventory of each of the organization’s authentication systems, including those located on-site or at a remote service provider.
16.2: Configure Centralized Point of Authentication
- Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.
16.3: Require Multi-Factor Authentication
- Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider.
16.4: Encrypt or Hash All Authentication Credentials
- Encrypt or hash with a salt all authentication credentials when stored.
16.5: Encrypt Transmittal of Username and Authentication Credentials
- Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
16.6: Maintain an Inventory of Accounts
- Maintain an inventory of all accounts organized by authentication system.
16.7: Establish Process for Revoking Access
- Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails.
16.8: Disable Any Unassociated Accounts
- Disable any account that cannot be associated with a business process or business owner.
16.9: Disable Dormant Accounts
- Automatically disable dormant accounts after a set period of inactivity.
16.10: Ensure All Accounts Have An Expiration Date
- Ensure that all accounts have an expiration date that is monitored and enforced.
16.11: Lock Workstation Sessions After Inactivity
- Automatically lock workstation sessions after a standard period of inactivity.
16.12: Monitor Attempts to Access Deactivated Accounts
- Monitor attempts to access deactivated accounts through audit logging.
16.13: Alert on Account Login Behavior Deviation
- Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration.
Figure: System Entity Relationship Diagram
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises