CIS Control 6.6: Establish and Maintain an Inventory of Authentication and Authorization Systems
Authentication and authorization systems are critical attack surfaces—yet many organizations lack visibility into all the systems managing access across their environment. CIS Control 6.6 requires you to create and maintain a comprehensive inventory of every authentication and authorization system, whether on-premises or cloud-hosted, and review it annually to catch orphaned or rogue systems before they become security liabilities.
What this means
This control mandates that your organization document every system responsible for authenticating users or authorizing access to resources. This includes identity providers, directory services, single sign-on platforms, role-based access control systems, and any third-party authentication services. The inventory must be current, accurate, and regularly audited to identify systems that have been added, removed, or forgotten over time.
How to comply
- 1.Identify all authentication and authorization systems across your enterprise, including on-premises infrastructure and cloud service providers.
- 2.Document each system with relevant metadata: system name, owner, location (on-premises or cloud provider), type of authentication method, and integration points.
- 3.Establish a centralized inventory management process and assign ownership for maintaining accuracy and completeness.
- 4.Conduct a comprehensive audit at least annually to verify inventory accuracy, identify new systems, and remove decommissioned systems.
- 5.Document findings from annual reviews and track remediation of any gaps or unauthorized systems discovered.
- 6.Integrate inventory updates into your change management process so new authentication systems are logged immediately upon deployment.
Evidence auditors look for
- Documented inventory of authentication and authorization systems with owner, location, and type fields
- Annual review and sign-off documentation showing the inventory was audited and verified
- Change log showing updates to the inventory when systems are added or removed
- List of third-party authentication service providers and integration details
- Evidence of remediation for any unauthorized or orphaned systems identified during reviews
- Audit trail showing who accessed and modified the inventory and when
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and catalogs authentication and authorization systems across your infrastructure, eliminating manual inventory work and alerting you to new or undocumented systems so you stay audit-ready year-round.
See how GRCWatch handles this control automatically
Start free trial