16.9: Disable Dormant Accounts
Automatically disable dormant accounts after a set period of inactivity.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Respond |
1, 2, 3 |
Dependencies
None
Inputs
The list of all accounts created in the enterprise
An organizationally defined policy indicating a “dormant threshold”; the period of inactivity after which the account is considered dormant (recommended value 1 month)
Assumptions
The list of accounts for the enterprise includes OS-level, database, internal and external application accounts.
Based on the account location, a query interface is assumed enabling collection of a “last activity” timestamp, such as last logon, as well as a status indicating if the account is enabled or disabled.
Operations
For each account, query the respective interface to collect the account’s last activity.
For each account, query the respective interface to collect the account’s enabled/disabled status.
Based on Operations 1 and 2, collect those accounts still marked as enabled but whose last activity is beyond the “dormant threshold” defined in Input 2
Measures
M1 = List of Accounts
M2 = Count of M1
M3 = List of accounts marked as enabled
M4 = Count of M3
M5 = List of accounts enabled and not used for a time period outside the dormant threshold
M6 = Count of M5
Metrics
Dormant Accounts
Metric |
What percentage of all accounts are currently dormant but still enabled? |
Calculation |
|
Enabled Dormant Accounts
Metric |
What percentage of accounts marked enabled are currently dormant and still enabled? |
Calculation |
|