3.5.6 Disable identifiers after a defined period of inactivity

By wnoble2005@gmail.com (William Noble) 📅 2024-03-01

NIST 800-171 control 3.5.6 addresses inactive accounts by automatically disabling them after a set period. This reduces the risk of attackers exploiting forgotten accounts (benefit). By linking activity to specific users, it strengthens accountability. Implementation involves defining an inactivity period (e.g., 30 days) and automatically disabling accounts after that time. An audit log tracks disabled accounts and reactivations for oversight.

Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.

Benefits:

Reduced Attack Surface: By eliminating inactive accounts, you minimize the number of potential entry points for attackers. Dormant accounts are attractive targets as they may go unnoticed if compromised.

Enhanced Accountability: This control enforces accountability by ensuring users are actively using their assigned accounts. This reduces the risk of unauthorized access due to forgotten or misused credentials.

Improved Security Posture: Disabling inactive accounts minimizes the number of dormant accounts that could be compromised. This strengthens your overall security posture by reducing the potential impact of a successful attack.

Accountability:

Senior Management: Sets the security tone by prioritizing control implementation. They ensure adequate resources and budget allocation for IT security and user provisioning processes.

IT Security Team: Implements technical controls to identify inactive accounts and automates their disabling after a pre-defined period. They also define and update policies for account activity thresholds and disablement procedures.

System Owners: Understand the criticality of their systems and data. They assist in defining risk-based thresholds for inactivity based on system access needs. They also participate in reviewing account activity reports and escalation procedures for disabled accounts needing reactivation.

Individual Users: Take responsibility for account security by practicing good password hygiene and avoiding account sharing. They should notify IT of any prolonged periods of inactivity to prevent accidental disablement.

Implementation:

Automated Disabling: Configure user accounts to automatically deactivate after a predefined period of inactivity. This period should be determined by your organization's risk tolerance.

Defined Inactivity Period: Establish a policy outlining the inactivity threshold for account disabling. Higher risk environments may require shorter inactivity periods for stricter control.

User Notification: Implement mechanisms to notify users before their accounts are disabled. This provides them with an opportunity to reactivate the account if it's still needed.

Regular Review: Regularly assess disabled accounts to ensure legitimate access isn't impeded. This may involve procedures for reactivating accounts upon user request.

Go to docs.google.com

☰

Back

About "3.5.6 Disable identifiers...ivity" 🡃

Category:Cybersecurity Maturity Model
Family:Identification and Authentication (AC 3.5)
Type:Derived Security Requirements

#CybersecurityMaturityModel #DerivedSecurityRequirements

⬅ Back to 3.5 IDENTIFICATION AND AUTHENTICATION

3.5 IDENTIFICATION AND AUTHENTICATION

3.5.6 Disable identifiers after a defined period of inactivity

Benefits:

Accountability:

Implementation:

More on q4q.com

Q4Q Technical Solutions