:

16.8: Disable Any Unassociated Accounts

Sub-control 16.8 states that you must disable any account that cannot be associated with a business process or business owner.

Asset Type	Security Function	Implementation Groups
Users	Respond	1, 2, 3

Dependencies

None

Inputs

Inventory of accounts: An inventory of all accounts.
Inventory of business processes and/or business owners: An inventory of all business processes and/or business owners.

Operations

For each account, enumerate any associated business processes or ownership.

Measures

Measure	Definition
M1 = List of Accounts	A list of all accounts. This number should be calculated per system/application/centralized authentication source.
M2 = Count of items in M1	A count of the total number of items in M1.
M3 = List of accounts not associated with any business process or ownership.	A list of all accounts not associated with any business process or ownership.
M4 = Count of items in M3	A count of the total number of items in M3.
M5 = List of accounts associated with at least one business process or ownership.	A list of all accounts associated with at least one business process or ownership. After the initial review, a database can be created to correlate all the accounts for future assessments.
M6 = Count of items in M5	A count of the total number of items in M5.

Metrics

Coverage

Metric	Calculation
The percentage of accounts that are associated with at least one business process or ownership.	M6 / M2

Copyright © 2025 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other products or services are trademarks of their respective owners.