Unauthorized or inappropriate account access is likely to occur within organizations if ongoing maintenance is not in place for all accounts with a control policy.
This includes all account types defined by the organization (e.g., user, privileged, system, service, temporary, etc.). Like many Security Program functions, account management is not a “one-and-done” exercise. Account management activities, which must be performed on a recurring basis to maintain effectiveness, are the focus of pitfall #28 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Management approval should be required for all requests to create accounts. Accounts should be created, enabled, modified, monitored, disabled, and removed in accordance with an approved Access Control Policy. Supporting procedures should detail the steps required to meet the defined policy control requirements.
Account managers should be notified within twenty-four hours when accounts are no longer needed. Notifications should also be made when personnel are terminated or transferred, personnel go on extended leave, system use requirements change, or if need-to-know changes for personnel.
Periodic internal account and access reviews or audits should be performed, at least annually. More frequent reviews are highly encouraged, especially for reviewing accounts with privileged access. Account and access audits should include reviewing accounts for security and compliance with established Access Control Policy and procedure requirements. These audits or reviews should not be performed by the same personnel that create accounts or provide access permissions.
During these reviews, the privileges assigned to users should be verified to validate that the need for currently assigned privileges still exists. Privileges should be reassigned or removed, if necessary, to correctly reflect the mission or business needs of the organization for the roles being reviewed.
Accounts should be disabled when they have expired and if they are no longer associated with a user or there is no longer an owner of the account. Any account in violation of security policy controls should be disabled and any account that has been inactive for 90 days or more should be disabled. All the information to support these conditions are not likely to be identified without routine account or access reviews.