Standard:
YALE-MSS-9.4: Grant privileges to IT Systems and data according to the principle of least privilege
YALE-MSS-9.4.2: Maintain an inventory of all privileged and service accounts and assigned privileges
Low Risk Endpoint
Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
This standard applies to administrative accounts and service accounts:
- Administrative accounts - Administrative accounts consist of a username and password. An administrative accounts grants an individual privileged access to the IT System. Privileged access is access to make changes to the overall IT System.
- Service accounts - Service accounts are special user accounts used by a system (e.g an application). The system uses the service account to interact with the operating system. These types of accounts are typically used for automation.
Maintain an inventory of all privileged and service accounts and who has what access. Review this inventory on a regular cadence to ensure all accounts have the right level of access. Yale-MSS-10.4.2 requires all dormant accounts to be removed on a regular basis.