CIS Controls v8.1 Account & Credential Management Policy Template

Accounts and credentials such as passwords are how we access phones, tablets, workstations, and web applications. Each of these accounts can be used to gain unauthorized access into an enterprise’s walled garden to steal data. There are many ways to covertly obtain access to accounts such as weak passwords, old accounts from a fired employee, or passwords involved in a data breach for a separate company that are also used on your systems. There are multiple types of accounts that often need to be managed.

Policy Template Purpose

The CIS Critical Security Controls® (CIS Controls®) describe multiple policies that an enterprise should have in place. That includes a set of policies to cover how accounts and credentials are managed in the enterprise, and other access control related functions. This policy is meant as a foundational guide for enterprises needing to draft their own policies. Enterprises are encouraged to use this policy template in whole or in part. With that said, there are multiple decision points and areas that must be tailored to your enterprise. In CIS Controls v8.1, Controls 5 and 6 state:

CIS Control 5 – Account Management: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

CIS Control 6 –Access Control Management: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

The policy statements included within this document can be used by all Implementation Groups (IGs), but are specifically geared towards CIS Safeguards in Implementation Group 1 (IG1).