|Finding ID||Version||Rule ID||IA Controls||Severity|
|A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised.|
|Application Security and Development Security Technical Implementation Guide||2022-09-21|
|Check Text ( C-24289r493765_chk )|
| Interview the application representative to verify that a documented process exists for user and system account creation, termination, and expiration. |
Obtain a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days).
If a documented account management process does not exist or unauthorized users have active accounts, this is a finding.
|Fix Text (F-24278r493766_fix)|
|Establish an account management process.|