UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for account monitoring and management requirements.
Requirement
Resource Proprietors and Resource Custodians must manage, protect from attack, and regularly review accounts.
Description of Risk
Attackers can discover and exploit user accounts still valid in the system but no longer needed for business purposes.
Recommendations
Account monitoring and management controls provide a gatekeeper function to prevent and detect unauthorized activities that may lead to loss of covered data. When implemented correctly, these controls allow resource proprietors and resource custodians to control precisely who has access to covered data and detect inappropriately granted access before data loss events occur. Start with the recommendations below to implement an account monitoring and management process:
-
Account Management
-
Employ a process to record and monitor significant changes to covered system user accounts and groups to ensure that access is not granted outside formal approval process required by MSSEI need-to-know access control requirement. Significant user account and group changes include:
-
Status changes that enable or disable accounts/groups
-
Account access privilege updates
-
Account creation/deletion
-
Group access privilege updates
-
Group membership updates
-
Group creation/deletion
-
-
-
Account Protection
-
Account lockout should be used and configured such that after a set number of failed login attempts the account is locked for a standard period of time.
-
Ensure that password complexity requirements are enforced for standard user accounts and administrative accounts follow strong authentication requirements.
-
Administrative account credentials (passphrases, encryption keys or other authentication devices) are also covered data, and must be protected according to applicable MSSEI requirements. (See the Additional Resources section for more guidance.)
-
-
Account Review
-
Employ a process to review accounts assigned to both users and applications/services on a quarterly basis.
-
The review process validates the continued business need for each active account with the Resource Proprietor and ensures that application/service account credentials will be disabled when no longer needed.
-
The review process should also reconcile existing active accounts with account access requests; any access privileges not approved by the Account Management process should be noted and revoked immediately.
-
Review account and privilege updates, with special emphasis on administrative privilege updates, for suspicious activities that may signal compromised accounts. Examples of suspicious activities include unauthorized changes to existing administrative accounts and privileges, new administrative accounts/groups created without approval or documentation, etc.
-
Additional Resources
MITRE Common Weakness Enumeration guidance on risks of hard-coded credentials and potential mitigation techniques: http://cwe.mitre.org/data/definitions/798.html