Identities are disabled after a defined period of inactivity, where feasible
Context and Guidance: Enforcement of identity deprovisioning based on periods of inactivity can reduce the risk of a dormant account being misused or subject to malicious activity. The period of inactivity must be established by the organisation commensurate with potential risk. For example, temporary identities supplied to contractors might be appropriately disabled after a period of 30 days or less. An organisation may implement this control by first monitoring last logon timestamp or other attributes to identify potential periods of inactivity. Using this information, identities that have been inactive for a defined period of time can be identified and disabled or removed if no longer needed. The efficiency of this activity may be improved by developing a list of accounts that by nature have long periods of dormancy but are also still necessary to meet operational requirements. While this practice may be enforced by automated means, it is important to carefully consider the impacts to operations prior to implementing automated deprovisioning.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ACCESS-1a, ACCESS-1c, ACCESS-1e, ACCESS-1f, ACCESS-1j.