ITM Tech Cybersecurity Essentials Booklet - Flipbook - Page 25
6.1
Establish an Access Granting
Process
Users
Protect
6.2 Establish an Access Revoking
Process
Users
Protect
6.3 Require MFA for ExternallyExposed Applications
Users
Protect
6.5 Require MFA for Administrative
Access
Users
Protect
6.6 Establish and Maintain an
Inventory of Authentication
and Authorisation Systems
Users
6.7
Identify
Centralise Access Control
Users
Safeguards Total
8
IG1
5/8
IG2
7/8
IG3
8/8
Use processes and tools to create, assign, manage, and revoke access
credentials and privileges for user, administrator, and service accounts for
enterprise assets and software.
Why Is This CIS Control Critical?
Protect
6.4 Require MFA for Remote
Network Access
Users
06 - Access Control Management
Protect
Where CIS Control 5 deals specifically
with account management, CIS Control 6
focuses on managing what access these
accounts have, ensuring users only have
access to the data or enterprise assets
appropriate for their role, and ensuring
that there is strong authentication for
critical or sensitive enterprise data or
functions. Accounts should only have the
minimal authorisation needed for the role.
Developing consistent access rights for
each role and assigning roles to users is a
best practice. Developing a program for
complete provision and de-provisioning
access is also important. Centralising this
function is ideal.
CONTROL 06
THE SAFEGUARDS
6.8 Define and Maintain RoleBased Access Control
Data
Protect
25
1
2
3
4
5
Asset Type Security Function
1= Asset Type
2= Security Function
3= Implentation Group 1
4= Implentation Group 2
5= Implentation Group 3
Did You Know?
In early November 2020, Microsoft urged users to stop using phone-based MFA and
instead recommend using app-based authenticators and security keys. We can assist you to
implement an organisation wide Enterprise Multi-Factor and Identity Management system.
