Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems. (Source)
A sample identity and access management policy for Boston University. Video presented by Thycotic discussing risks and mitigations for privileged accounts. Video presented by Thycotic discussing risks and mitigations for privileged accounts. Crowdstrike webpage providing security tips and resources for considerations on least privilege. When you walk away from your computer, you want to make sure to lock it so other people can’t access your machine and its data. You can, of course, manually lock your Windows 10 PC down by hitting Windows Key + L or Ctrl + Alt + Del. But sometimes you forget. The cool thing is you can make Windows 10 lock automatically after a set time of inactivity. Here is a look at a few ways you can set this up. This document from Identity Automation provides organizations with a step by step process to follow for creating and maintaining usernames. An example of a screenlocking standard, used by academia. This article describes the importance of user access reviews, and offers suggestions for performing reviews manually or in an automated fashion. This article provides a comprehensive description of Data Loss Prevention (DLP). The article includes best Practices for DLP planning and preparation, and tools for automating DLP. This article describes how to configure inactivity timeouts on Windows. This document describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. This article provides guidance for the Identification and Authorization (IA) domain. There's a table with links to content that provides step-by-step guidance to accomplish the practice. Microsoft security best practices for employment of the least privilege principle. This link provides check points for user access security. NIST resource that defines the requirements for the principle of least privilege This special publication from NIST provides an overview of Identifier Management. This NIST Special Publication covers identity proofing and authentication of users interacting with government IT systems over open networks. This list covers NIST FAQs for Special Publication (SP) 800-63, Digital Identity Guidelines and provides additional clarification to stakeholders. A sample user access management policy for Northwestern Polytechnic As mentioned in the title, this article offers best practices to ensure an organization regularly validates a user’s set of permissions. This documentation from Red Hat, provides an administrator step by step instructions for configuring a lockout policy based on inactivity. This is an example of an identification and authentication policy for Texas A&M This example policy describes the configuration of resources to uniquely identify and authenticate users not affiliated with the university who are permitted to utilize university information resources. This example policy describes the capability for information resources to uniquely identify and authenticate university faculty, staff, students, and other approved users. This example policy describes how user or device identifiers are managed by receiving appropriate authorization to initially assign a user, selecting a unique identifier, preventing the reuse of identifiers, and disabling the user identifier after a period of inactivity or change in job status. This sample policy from Michigan is an example of how an organization can provision and deprovision access to systems and applications. This webinar discusses practices for making secure, modern authentication fast and easy. This video is a quick introduction to the problems faced with common MFA systems. Protecting users and applications from brute force login attacks through strong password policies. This article highlights MFA and the necessity to implement to all privileged account access and users who access network resources. Learn what to look for when assessing and comparing two-factor authentication solutions. Duo's wide variety of authentication methods make it easy for every user to securely and quickly log in. This example procedure from the EPA describes how the agency is to implement security control requirements for the NIST SP 800-53 Identification and Authentication (IA) control family. This article describes mechanisms to limit unsuccessful logon attempts. This article from infosecurity magazine, describes the importance of securing inactive user accounts. This article describes how to set an account lockout policy. This webpage discusses how to regularly check for and remove inactive user accounts in Microsoft Active Directory. Best practices for implementing account lockout policies, and an overview of Active Directory account lockout policy. This NIST Special Publication provides technical requirements for federal agencies implementing digital identity services. This cheat sheet from OWASP provides general authentication guidelines. This documentation from Red Hat, provides an administrator step by step instructions for configuring a lockout policy based on inactivity. Secure access to your extended enterprise with RSA SecurID Access, the leading multi-factor authentication and identity assurance solution. This SANS guideline provides best practices for creating secure passwords. This is a sample password protection policy from SANS. This SANS whitepaper generalizes several authentication methods and authentication protocols. This SANS whitepaper looks at the use of biometrics technology to determine how secure it might be in authenticating users. This SANS whitepaper discusses implementing an additional security layer for wired networks. This SANS whitepaper focuses on enterprise solutions for two-factor authentication. More on Two-Factor Authentication and it's ineffectivenss defense against identity theft. This whitepaper is directed at IT, Security, and Compliance workers who are responsible for recommending or evaluating security products; or running and managing two-factor authentication infrastructure. How to reduce the risk of a password dictionary attack through an account lockout policy. This example policy describes how information resources shall obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Gemalto's identity and access management (IAM) solutions allow organizations to meet the evolving needs around cloud applications and mobile devices. This link provides an example of a network device that must obscure feedback of authentication information. It provides a description of how to check practice and provides a fix. This YouTube video discusses identification and authentication issues in the context of computer security.
This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171.