Homexnetd.com
xnetd.com

3.1 ACCESS CONTROL

3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions. | NIST 800-171 control 3.1.6 requires using regular accounts for everyday tasks, reducing damage from compromised admin accounts. It increases accountability as users' actions are tied to their identities. Implementing this involves enforcing non-privileged account usage via system settings and policies, along with monitoring activity for suspicious behavior.

3.1 ACCESS CONTROL
Back to "3.1 ACCESS CONTROL"
3.1 ACCESS CONTROL
🖨️

3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.

By wnoble2005@gmail.com (William Noble) 📅 2024-02-26
NIST 800-171 control 3.1.6 requires using regular accounts for everyday tasks, reducing damage from compromised admin accounts. It increases accountability as users' actions are tied to their identities. Implementing this involves enforcing non-privileged account usage via system settings and policies, along with monitoring activity for suspicious behavior.



This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

Benefits:

Minimized Attack Surface and Data Exposure: Privileged accounts hold the keys to a system's core operations and sensitive data. Using them for routine tasks expands the attack surface. If attackers compromise a privileged account, they gain far-reaching access, making non-privileged accounts a fundamental line of defense.

Reduced Impact of Account Compromise: Should a standard, non-privileged account be compromised, the damage is localized. Attackers will struggle to escalate privileges and move laterally in the system, keeping sensitive information safer.

Improved Auditing and Logging: Actions taken with non-privileged accounts can be clearly distinguished from those with higher rights. This aids in tracking activity, spotting anomalies, and forensic investigations if a breach does occur.

Accountability:

Senior Management: Set the Tone: Senior management has the overarching responsibility to establish a culture of security. This means creating policies and procedures that clearly outline the appropriate use of privileged and non-privileged accounts. Provide Resources: They must allocate the necessary budgets and personnel to adequately implement and maintain security measures protecting sensitive data, including the enforcement of account restrictions. Consequence Management: Senior management holds the power to take action when security protocols are breached. They must enforce consequences for non-compliance to ensure accountability across the organization.


IT Security Team: Responsible for implementing and maintaining technical and administrative security controls. They design access control mechanisms, configure systems to use non-privileged accounts by default, and monitor for unauthorized use of privileged accounts.

System Owners: Accountable for the security of their specific systems. They define appropriate access permissions, working with the IT security team to implement role-based access controls (RBAC) that limit privileged access.

Individual Users: The front line of defense. They must adhere to security policies, only use non-privileged accounts for day-to-day tasks, and promptly report suspicious activities to the IT security team.

Implementation:

Inventory Accounts: Identify every user account and map them to their associated privileges. Highlight those with administrator-level rights (or equivalent)
Define Roles & Responsibilities: Determine which tasks genuinely necessitate privileged access. Create distinct roles with the least privilege needed to carry out each function.

Create Non-Privileged Accounts: If they don't exist, create standard user accounts for every individual. Ensure these are the default for daily email, web browsing, and non-security-critical tasks.

Enforce Policies: Technical measures like RBAC are critical, but don't neglect policy. Train users thoroughly on when to use each account type and the risks surrounding privileged access.

Implement Monitoring: Log privileged account actions for visibility. Set up alerts for suspicious activity, like logins outside of standard hours, from unexpected locations or unusual actions taken.

Go to docs.google.com

About "3.1.6 Use non-privileged...ions." 🡃
Category:Cybersecurity Maturity Model
Family:Access Control (AC 3.1)
Type:Derived Security Requirements
#CybersecurityMaturityModel #DerivedSecurityRequirements
⬅ Back to 3.1 ACCESS CONTROL

More on q4q.com

Q4Q Technical Solutions

© q4q.com 1999-2024