CIS Logo
tagline: Confidence in the Connected World
HomeCIS ControlsCIS Control 16: Account Monitoring and Control
Young men working on a computer

CIS Control 16

Account Monitoring and Control

Key Principle:

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.

Why is this CIS Control critical?

Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated and accounts formerly set up for Red Team testing (but not deleted afterwards) have often been misused in this way. Additionally, some malicious insiders or former employees have accessed accounts left behind in a system long after contract expiration, maintaining their access to an organization’s computing system and sensitive data for unauthorized and sometimes malicious purposes.

Main Points:
  • Review all system accounts and disable any account that cannot be associated with a business process and owner.
  • Ensure that all accounts have an expiration date that is monitored and enforced.

See the full text of this CIS Control and the other 20 CIS Controls

Secure Your Organization Against the Most Common Attack Vectors


Arrow First 5 CIS Controls Arrow All 20 CIS Controls

Developed, validated and prioritized by a volunteer community of cybersecurity experts.

Information Hub: Account Monitoring and Control