Manage Access to Systems and Data

(Back)

Objective

Protect accounts that are used to access systems and data to limit the ability for malware to spread.

Description

• Apply the principle of least privilege and provide individuals with role based access that are essential for them to perform authorized tasks.
• Use of strong passwords, or preferably passphrases, to attempt to prevent threat actors from being successful in brute force attacks, in alignment with GC Password Guidance.
• Use multi-factor authentication (MFA) to prevent account takeover.
• Ensure that access is regularly reviewed, and modified accordingly, when individuals no longer need, or should, have access, to limit the malware’s ability to spread.
• Ensure system administrators avoid using their accounts for email and web browsing (to prevent malware being able to run with their high level of system privilege), in order to reduce the risk of ransomware infecting administrator accounts and system access that is associated with those accounts.
• Isolate system administrator accounts from the open internet, by creating dedicated account for open-internet related activities and apply the principle of least privilege to these accounts.

References

TBS

1. DSD Appendix G - Account Management Configuration Requirements (1, 3, 4, 10 and 12)
2. DSM Appendix B (B.2.3.2, B.2.3.2.2, B.2.3.2.4 and B.2.3.6), and
3. GC Password Guidance

CCCS

1. Managing and Controlling Administrative Privileges (ITSAP.10.094), and
2. Ransomware Playbook (ITSM.00.099) (2.1.4)
3. CSE Top 10 (ITSM.10.089) (2.3)

Related Security Controls (ITSG-33)

AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8