Account and Access Control Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Program Services & Resources
The following services and resources are provided by the NC K-12 Cybersecurity Program and provided to PSUs at no cost to help execute the actions defined in the NC K-12 CORE Safeguards:
Why is Account and Access Control Management Important?
Gaining access using valid credentials is often easier for attackers than hacking into systems directly. Common risks include weak passwords, inactive or shared accounts, reused passwords from breached sites, social engineering, and malware. Privileged and service accounts are especially attractive targets due to their broad access and potential misuse.
CIS Controls 5 and 6 emphasize account and access management. Control 5 covers managing accounts, while Control 6 ensures users only have the minimum access needed for their roles, using role-based access control and centralized provisioning/de-provisioning.
High-risk activities, like administrative tasks or remote access, require stronger protections such as Multi-Factor Authentication (MFA) and Privileged Access Management (PAM). Inadequate controls, such as giving all users full access or leaving local admin rights on laptops, increase enterprise risk. Effective identity and access management involves continuous monitoring, role alignment, and minimizing privileges based on actual need.
What can you do?
Effective account management is essential for security. All accounts must be tracked, with dormant ones disabled and eventually removed. Regular audits should verify that all active accounts belong to authorized users, paying close attention to newly created, administrative, and service accounts.
Privileged users must have separate accounts for administrative tasks and everyday use to reduce risk if their primary account is compromised. Base accounts should not have elevated access.
Single Sign-On (SSO) and password managers enhance security and convenience, but passwords must not be stored in unsecured formats. Multi-Factor Authentication (MFA) should be enforced—especially for privileged accounts—using secure methods like number generators, not SMS or push notifications.
Role-based access control (RBAC) ensures users only have permissions necessary for their role, following principles of least privilege and need-to-know. Temporary or granular access should be carefully managed and logged.
Users should be logged out after periods of inactivity, and trained to lock their screens when stepping away. Privileged Access Management (PAM) tools can enforce one-time password use and session tracking for administrator accounts. For extra security, use jump-boxes or out-of-band connections for administrative access.
De-provisioning must be thorough and consistent for all users—including contractors—to prevent lingering access. Service accounts should also be tracked, as they can be vulnerable to credential leaks in code or repositories.
Finally, administrators should avoid using high-privilege accounts for general activities like web browsing or email, and security teams should periodically check for misuse of elevated privileges in common applications.
Specific details and procedures are outlined in the K-12 Cybersecurity CORE Safeguards.
**NC K-12 Cybersecurity Community Mailing list subscription is required to access the CORE Safeguard materials**