16.9: Disable Dormant Accounts
Sub-control 16.9 states that you must automatically disable dormant accounts after a set period of inactivity.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Users | Respond | 1, 2, 3 |
Dependencies
- None
Inputs
-
Account Inventory: The list of all accounts created in the enterprise
-
Definition of "dormant threshold: An organizationally defined policy indicating a “dormant threshold”. This serves as the period of inactivity after which the account is considered dormant. The CIS recommends this be set to 1 month.
Assumptions
-
The list of accounts for the enterprise includes OS-level, database, internal, and external application accounts.
-
Based on the account location, a query interface is assumed that enables the collection of a “last activity” timestamp, such as last logon, as well as a status indicating if the account is enabled or disabled.
Operations
- For each account, enumerate any associated business processes or ownership.
Measures
| Measure | Definition |
|---|---|
| M1 = List of Accounts |
A list of all accounts. |
| M2 = Count of items in M1 | A count of the total number of items in M1. |
|
M3 = List of accounts marked as enabled |
A list of all accounts marked as enabled. |
| M4 = Count of items in M3 |
A count of the total number of items in M3. |
| M5 = List of accounts enabled and not used for a time period outside the dormant threshold |
A list of all accounts that are enabled and have not been used for a time period outside the dormant threshold. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
Metrics
Dormant Accounts
| Metric | Calculation |
|---|---|
| The percentage of all accounts that are currently dormant but still enabled. | M6 / M2 |
Enabled Dormant Accounts
| Metric | Calculation |
|---|---|
| The percentage of accounts that are marked enabled, that are currently dormant and still enabled. | M3 / M2 |