Which Frameworks Require Restricting Access to Administrators
- Australian Cyber Security Centre (ACSC) Essential Eight: Part of the Essential Eight framework focuses on limiting administrative privileges and restricting internet access for accounts with administrative permissions. This is to prevent attackers from using admin accounts to download malware or communicate with command-and-control servers.
- NIST Cybersecurity Framework (CSF): NIST Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations), which supports NIST CSF, includes controls on restricting internet access for privileged users. Control AC-6 (Least Privilege) and SC-7 (Boundary Protection) guide organizations to restrict high-privilege accounts from accessing unnecessary external services.
- Centre for Internet Security (CIS) Controls: CIS Control 4, “Controlled Use of Administrative Privileges,” recommends that administrative accounts be restricted from using internet services that are not essential for their function. The principle is to limit admin accounts to only necessary tasks and avoid web access that may introduce risks.
- ISO/IEC 27001: While ISO/IEC 27001 does not explicitly mandate internet access restrictions, its focus on access control and secure configurations under Annex A can be applied to restrict internet access for administrative accounts. Organizations following ISO 27001 often include administrative internet restrictions in their security policies to comply with these access and security requirements.
- Payment Card Industry Data Security Standard (PCI DSS): PCI DSS mandates that organizations with payment card data environments limit administrative privileges and monitor internet use for accounts with elevated access. While not explicit about restricting internet access entirely, PCI DSS does require strict access controls for administrative accounts, which can include blocking external connections to reduce risk exposure.
- Federal Information Security Management Act (FISMA): For U.S. federal agencies, FISMA compliance often involves aligning with NIST 800-53 controls, which as noted above, supports limiting internet access for administrative accounts to prevent the misuse of high-level privileges.
