Center for Internet Security Controls or CISControls for short have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cybersecurity controls.

Safeguard 5.5 is similar to 5.1 where it calls for an inventory of accounts, but 5.5 specifically requires the inventory of your service accounts. At minimum it must contain the department owner, review date, and purpose. You should also perform service account reviews to validate that all active accounts are authorized on a recurring schedule at least quarterly.

We covered this in 5.1 where every account that can successfully login should be inventoried and 5.5 doesn't change that. It does however require you to to store different data as with 5.1 you have to store the person's name, username, start and stop dates, and department - 5.5 requires the department owner, review date, and the purpose of the service account. Which is enough for it to be called out separately.

Safeguard 5.5 is also only required if you are seeking implementation group 2 or 3 status - but let's be honest this is a requirement for everyone. You want to know everyone that has keys to your house, why wouldn't you want to have an inventory of everyone that has access to your data.

Active Directory counts as an inventory tool as it maintains the records and you can add notes or custom attributes to cover the requirements here. This is where having SSO setup can also help you where you are forcing a single sign on inventory platform, so you know all of these systems are using my AD or AAD (EntraID) platform.

You have it done, it's just making sure you check the sub boxes here is where most of us will fall short - and it's great practice to start doing that today. So review your service accounts and document the department owner, today's date (last review date), and the purpose of the account.

Then check off 5.5 and you're already well into your process of hitting IG2 compliant.