CIS Control 5 Explained: Account Management

CIS Control 5 involves account management. This means using tools and processes to assign and manage credentials and access for user accounts for all enterprise assets and software.

The Importance of Control 5

Unauthorized access to enterprise assets or data is often easier for malicious attackers when they use valid user credentials rather than exploiting system vulnerabilities. There are various ways to gain access to user accounts such as brute forcing weak passwords, using social engineering tactics to trick users into revealing their credentials and malware designed to capture passwords or tokens in memory or over the network.

Administrative and highly privileged accounts are particularly attractive targets, as they enable attackers to create new accounts or make changes that could expose assets to further risks. Service accounts are also sensitive and are often shared among both internal and external teams.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.

For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.

The Safeguards of Control 5

There are six safeguards in CIS Control 5. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStartingImplementation Group
Safeguard 5.1Establish and Maintain an Inventory of AccountsIdentifyIG1
Safeguard 5.2Use Unique PasswordsProtectIG1
Safeguard 5.3Disable Dormant AccountsProtectIG1
Safeguard 5.4Restrict Administrator Privileges to Dedicated Administrator AccountsProtectIG1
Safeguard 5.5Establish and Maintain an Inventory of Service AccountsProtectIG2
Safeguard 5.6Centralize Account ManagementGovernIG2