Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-70291 | APSC-DV-002880 | SV-84913r1_rule | Medium |
Description |
---|
A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-03-20 |
Check Text ( C-70767r1_chk ) |
---|
Interview the application representative to verify that a documented process exists for user and system account creation, termination, and expiration. Obtain a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days). If a documented account management process does not exist or unauthorized users have active accounts, this is a finding. |
Fix Text (F-76527r1_fix) |
---|
Establish an account management process. |