5.3: Disable Dormant Accounts
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Respond |
1, 2, 3 |
Dependencies
Safeguard 5.1: Establish and Maintain an Inventory of Accounts
Inputs
GV22: Inventory of accountsEnterprise defined policy for dormant threshold
Assumptions
The list of accounts for the enterprise includes OS-level, database, internal and external application accounts.
A query interface is assumed to enable collection of a “last activity” timestamp, such as last logon, as well as a status indicating if the account is enabled or disabled.
Operations
Review Input 2 and note the dormant threshold in terms of days (M2)
- For each account in
GV22, query the interface and collect The date of last activity for each account
Whether the account is disabled or not
- For each account in
- Using the output of Operation 2.1 and Input 2
Identify and enumerate accounts that have exceeded the dormant threshold (M3)
Identify and enumerate accounts that are still within the dormant threshold (M4)
- Use the output of Operation 2.2 and 3.1 (M3)
Identify and enumerate accounts that are disabled (M5)
Identify and enumerate accounts that are still enabled (M6)
Measures
M1 = Count of accounts in
GV22M2 = Timeframe of dormant threshold in days
M3 = Count of dormant accounts
M4 = Count of active accounts
M5 = Count of dormant accounts that have been disabled
M6 = Count of dormant accounts still enabled
Metrics
Dormant Accounts
Enabled Dormant Accounts
Metric |
The percentage of dormant accounts still enabled
|
Calculation |
|