August 05, 2019

NIST 800-171 3.1.6

Gregory Morawietz

Gregory Morawietz
Founder/Single Point of Contact

Share This Post

Use non-privileged accounts or roles when accessing nonsecurity functions.

The object of this control is to set up an admin-account and a non-admin-account for privileged access and no-privileged access.   This control seeks to separate admin accounts from non-admin accounts and what actions are performed by each.  The best way to go about this is to create accounts with the least privilege access and administrative accounts with more power and capabilities.  You want to talk about and refer to this separation in your security policy and you want to make sure that when you audit commands that these admin accounts are identifiable and associated with the person that is using them.    Have an identifier like admin- or something to that effect so it is obvious which accounts are elevated.  Include the creation of these accounts in your administrator or IT person onboarding documentation.  This is a common best practice and allows you to remove generic admin accounts in your environment.  You will use this control to track who is making changes or has made a change in your environment so you can track them down or report on each individual's activities.  

Share This Post