Profile Applicability:
Level 1
Description:
The number of administrator accounts within the organization’s collaboration or version control platform must be limited to the minimum necessary for effective management and operational functions. Restricting administrative privileges reduces the attack surface and prevents unauthorized or accidental changes that could compromise security and governance.
Rationale:
Limiting administrators enforces the principle of least privilege, reducing risks associated with insider threats, accidental misconfigurations, or malicious activity. It enhances accountability and simplifies management and auditing of privileged access.
Impact:
Pros:
Minimizes risk of unauthorized access or changes.
Simplifies auditing and management of privileged accounts.
Supports compliance with security policies and standards.
Cons:
May create operational bottlenecks if administrative duties are too narrowly assigned.
Requires careful planning for role delegation and succession.
Default value:
Some organizations may have excessive administrator accounts by default, increasing potential risks.
Audit:
Review the list of administrators and their roles in the organization. Verify that only essential personnel hold administrative privileges and that periodic access reviews are conducted.
Remediation:
Implement policies to define the minimum required number of administrators. Remove or downgrade unnecessary admin accounts. Conduct regular access reviews and require approvals for administrative access changes.
References:
GitHub Organization Roles and Permissions: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles
GitLab User and Group Permissions: https://docs.gitlab.com/ee/user/permissions.html
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/