Remove inactive accounts periodically
Summary
The organization must remove inactive user accounts periodically (purging).
Description
Inactive user accounts that remain in the system can be a security risk. If these accounts have not been properly deactivated or removed, they may become a target for unauthorized access or exploitation by malicious actors.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References
- CIS-5_3. Disable dormant accounts
- NIST 800-53-AC-2_3. Disable accounts
- NIST 800-53-AC-2_10. Shared and group account credential change
- NIST 800-53-AC-2_13. Disable accounts for high-risk individuals
- SOC2®-CC6_5. Logical and physical access controls
- CMMC-AC_L2-3_1_10. Session lock
- CMMC-IA_L2-3_5_6. Identifier handling
- FedRAMP-AC-2_3. Account management - Disable inactive accounts
- ISSAF-Q_16_20. Host security - Windows security (local attacks)
- ISSAF-U_9. Web application SQL injections - Bypass user authentication
- OWASP Top 10 Privacy Risks-P6. Insufficient deletion of personal data
- OWASP SCP-5. Access control
- C2M2-4_1_c. Establish identities and manage authentication
- C2M2-4_1_f. Establish identities and manage authentication
- C2M2-4_1_j. Establish identities and manage authentication
- PCI DSS-2_2_2. System components are configured and managed securely
- PCI DSS-8_2_6. Inactive user accounts are removed within 90 days of inactivity
- SIG Core-H_2_3. Access control
- FISMA-AC-2_3. Disable accounts
- FISMA-AC-2_10. Shared and group account credential change
- FISMA-AC-2_13. Disable accounts for high-risk individuals
Vulnerabilities
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.