Back

Include continuous user account management procedures in the internal control framework.


CONTROL ID
01360
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for … (DS5.4 User Account Management, CobiT, Version 4.1)
  • The control system shall provide the capability to support the management of all accounts by authorized users, including adding, activating, modifying, disabling and removing accounts (5.5.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to support the management of all accounts directly or integrated into a system that manages accounts according to IEC 62443‑3‑3 SR 1.3. (5.5.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Verify that responsibility for administering user account and authentication management is formally assigned. (§ 12.5.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify responsibility for administering user account and authentication management has been formally assigned in the Information Security policies and procedures. (Testing Procedures § 12.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure that additions, deletions, and modifications to user accounts are assigned to an Administrator. (§ 12.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that responsibility for administering user account and authentication management is formally assigned. (§ 12.5.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The Information Security policies and procedures must formally assign an individual or a team the responsibility for administering user accounts, including additions, deletions, and modifications. (PCI DSS Requirements § 12.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is the information security management responsibilities for administering user accounts, including additions, deletions, and modifications formally assigned to an individual or a team? (PCI DSS Question 12.5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is the information security management responsibilities for administering user accounts, including additions, deletions, and modifications formally assigned to an individual or a team? (PCI DSS Question 12.5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Access Control standards and procedures should take account of an information security policy. (CF.06.01.02a-1, The Standard of Good Practice for Information Security)
  • Access Control standards and procedures should take account of an information security policy. (CF.06.01.02a-1, The Standard of Good Practice for Information Security, 2013)
  • Actively manage the life cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them. (CIS Control 16: Account Monitoring and Control, CIS Controls, 7.1)
  • Actively manage the life cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them. (CIS Control 16: Account Monitoring and Control, CIS Controls, V7)
  • Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. (CIS Control 4: Safeguard 4.7 Manage Default Accounts on Enterprise Assets and Software, CIS Controls, V8)
  • Centralize account management through a directory or identity service. (CIS Control 5: Safeguard 5.6 Centralize Account Management, CIS Controls, V8)
  • Security Conditions For Connection. Unless security conditions for connection are in place and contractually agreed, an organization is in effect accepting the risks associated with the other end of a network connection. As an example, organization A may require that before organization B can be con… (¶ 13.2.4, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Components shall provide the capability to support the management of all accounts directly or integrated into a system that manages accounts according to ISA‐62443‐3‐3 [11] SR 1.3. (5.5.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Manage the creation, modification, use, and permissions associated to user accounts. (M1018 User Account Management, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Restricts account access and limits privileges and permissions. (App A Objective 3:7c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The information security program should include controls to protect information from unauthorized access or from being used in an unauthorized manner. (§ 314.3(b)(3), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • Administer accounts, network rights, and access to systems and equipment. (T0494, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must document and justify, in the security plan, any exceptions that permit users to access the Information System absent Identification and Authentication. (App F § AC-14.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(1), § 17.04(2), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)