The Center for Internet Security (CIS) Controls continue to focus on foundational security practices, and Control 6.6 is all about knowing what systems handle your authentication and authorization processes.

This safeguard emphasizes the need to establish and maintain an inventory of all authentication and authorization systems, whether they’re hosted on-site or managed by a remote service provider.

Here’s what it entails:

• What Are Authentication and Authorization Systems? These are the systems that verify who your users are (authentication) and what they’re allowed to do (authorization). Examples include Microsoft Active Directory, Azure AD, Okta, or custom identity providers.
• Why Maintain an Inventory? Knowing exactly which systems manage your access controls ensures you have visibility and can secure these critical components. Without this inventory, it’s easy to overlook vulnerable or outdated systems.
• Regular Updates: This inventory isn’t a “set it and forget it” task. You’re required to review and update it at least annually or whenever significant changes occur, like adding new systems or migrating to a different service provider.

Why is this important? Authentication and authorization systems are at the core of your security infrastructure. If these systems are compromised, your entire network and data could be at risk. Keeping a comprehensive and up-to-date inventory helps ensure these systems are properly monitored, maintained, and secured.

To recap, CIS Control 6.6 ensures you maintain a clear and accurate inventory of the systems that control who accesses what. This is a critical step in managing your organization’s security posture effectively.