Overview
To stay secure and to sell to customers who require cyber insurance and compliance, MSPs attempt to ensure cybersecurity compliance with documentation tools, password vaults, and secure access tools. These tools should absolutely be used by MSPs, but they do not address the core items in every cybersecurity framework - the proper management and security of individual admin accounts.
How idemeum helps?
idemeum Privileged Access Management platform designed specifically for MSPs helps address the following cybersecurity objectives.
NIST 800-171
Objective |
Description |
3.1.1 |
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems.) |
3.1.2 |
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
3.1.4 |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
3.1.5 |
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
3.3.2 |
Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. |
NIST 800-53
Objective |
Description |
3.7 |
Access Enforcement Role-based Access Control; Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
NIST 800-66
Objective |
Description |
5.3.1.3 |
Ensure that all system users have been assigned a unique identifier. |
CIS Control
Objective |
Description |
5.4 |
Restrict administrator privileges to dedicated administrator accounts. |
5.6 |
Centralized account management. |
6.1 |
Establish an access granting process. |
6.2 |
Establish an access revoking process. |
6.8 |
Define and maintain role based access control. |
8.2 |
Collect audit logs. |
8.5 |
Collect detailed audit logs. |
8.10 |
Retain audit logs. |
CMMC
Objective |
Description |
AC.1.001 |
Authorized Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems.) |
PCI
Objective |
Description |
8.1.3 |
Immediately revoke access for terminated users. |
8.2.4 |
Change user passwords at least every 90 days. |
8.5 |
Do not use group, shared, or public IDs, passwords, or other authentication methods. |
8.5.1 |
Additional requirement for service providers only: service providers with remote access to customer premises should use unique authentication information for each customer. |
8.6 |
Authentication mechanisms must not be shared among multiple accounts and physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. |
HIPAA
Objective |
Description |
164.312 (a)(2)(i) |
Unique user identifier. |
Essential Eight Maturity Model
Objective |
Description |
Level 2 |
Restrict Administrative Privileges; Privileged access events are logged. |