1. Quick wins: Review all system accounts and disable any account that cannot be associated with a business process and owner.
2. Quick wins: Ensure that all accounts have an expiration date associated with the account.
3. Quick wins: Ensure that systems automatically create a report on a daily basis that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion.
4. Quick wins: Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor.
5. Quick wins: Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity.
6. Quick wins: Monitor account usage to determine dormant accounts that have not been used for a given period, such as 45 days, notifying the user or user's manager of the dormancy. After a longer period, such as 60 days, the account should be disabled.
7. Quick wins: When a dormant account is disabled, any files associated with that account should be encrypted and moved to a secure file server for analysis by security or management personnel.
8. Quick wins: Require that all nonadministrator accounts have strong passwords that contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password. These values can be adjusted based on the specific business needs of the organization.
9. Quick wins: Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time.
10. Visibility/Attribution: On a periodic basis, such as quarterly or at least annually, require that managers match active employees and contractors with each account belonging to their managed staff. Security or system administrators should then disable accounts that are not assigned to active employees or contractors.
11. Visibility/Attribution: Monitor attempts to access deactivated accounts through audit logging.
12. Configuration/Hygiene: Profile each user's typical account usage by determining normal time-of-day access and access duration. Daily reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration by 150 percent. This includes flagging the use of the user's credentials from a computer other than computers on which the user generally works.
AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
Milestone 5: User Access
Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Even when such features are present and active, they often do not provide fine-grained detail about access to the system by default. Security personnel can configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access of various systems.
Accounts must also be tracked very closely. Any account that is dormant must be disabled and eventually removed from the system. All active accounts must be traced back to authorized users of the system, and it must be ensured that their passwords are robust and changed on a regular basis. Users must also be logged out of the system after a period of no activity to minimize the possibility of an attacker using their system to extract information from the organization.
The system must be capable of identifying unauthorized user accounts when they exist on the system. An automated list of user accounts on the system must be created every 24 hours and an alert or e-mail must be sent to administrative personnel within one hour of completion of a list being created. While the one-hour timeframe represents the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting.
To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed on a daily basis for the previous 30 days by reviewing archived alerts and reports to ensure that the lists were completed. In addition, a comparison of a baseline of allowed accounts must be compared to the accounts that are active in all systems. The report of all differences must be created based on this comparison.
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining user accounts and how they interact with the data systems and the log management systems. Another key component of these systems is the reports generated for management of user accounts.
The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. It also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: User accounts are properly managed on production systems
Step 2: User accounts are assigned proper permissions to production data sets
Step 3: User account access is logged to log management system
Step 4: Log management systems generate user account and access reports for management
Step 5: Account baseline information is sent to log management system
Step 6: Critical information is properly protected and encrypted for each user account.