Stronger credentials, multifactor authentication, or single use credentials are required for higher risk access (such as privileged accounts, service accounts, shared accounts, and remote access)
Context and Guidance: The requirements for credentials used to access the organisation’s assets should be commensurate with the risk associated with the assets. If an organisation uses a matrix for determining the potential impact and priority of risks, it may develop a companion matrix that specifies credential and authentication requirements for each level of impact. For example, for remote access to a system with risks that could result in significant impact (level 4 of 5) and a high likelihood of occurrence (level 4 of 5), a commensurate requirement might establish that personnel must use strong credentials, multifactor authentication, or single use credentials. In situations where strong credentials (such as MFA) may be warranted, but are precluded by technological limitations, consider implementing the strongest available authentication configurations and implementing compensating controls if deemed appropriate based on risk and operational considerations. Multifactor authentication (MFA) involves the use of two or more factors to achieve verification of an identity. Factors include (1) something you know, such as a password, (2) something you have, such as a token, (3) something you are, such as a fingerprint, or (4) something that indicates you are where you say you are, such as a GPS token. For the example above, personnel could be required to authenticate using a login ID, a password, and a token. Single use credentials may be implemented through a privileged access management (PAM) solution. Functionality provided by a PAM include role-based access to privileged credentials, automated rotation of passwords, integration with MFA, and auditing of privileged credential use.
These are specific examples of access that may pose higher risk to the function: • privileged accounts • service accounts • shared accounts (Use of these should be discouraged in general, but not possible in certain legacy IT and OT assets, where additional controls are appropriate such as stronger credentials as mentioned in this practice, strong physical access controls, or others.) • remote access • administrative accounts • emergency access • access to sensitive assets • access to cloud or virtual asset management systems • cryptographic key management accounts • backup accounts (Note that as requirements for stronger or multifactor credentials are established for more of these types of access, the higher the organisation moves on the spectrum of maturity.) Additionally, it is important to note that the word risk is being used in this practice in the general sense of the word and not intended to refer to any specific risks identified in the Risk Management domain of the C2M2. However, organisations should consider access to IT and OT assets and the controls applied to that access during the risk identification, analysis and response activities discussed in the Risk Management domain.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ACCESS-1b, ACCESS-1d, ACCESS-1g, ACCESS-1h, ACCESS-1i.