This indicator is present in the User Identification and Authentication section of CISWG, 2005. Accountability over user IDs It is a security good practice to assign user IDs for accountability purposes. Accountability is importantly weakened if the number of accountable persons is 0 or greater than 1. In this indicator, the word assigned implies that the objective of this indicator is to monitor the assignment of user IDs to people. We do not recommend the usage of this indicator to pursue this objective. For this objective, other indicators should be considered such as ratio of active user IDs assigned to an accountable person. Accountability over inactive users The indicator expressly mentions active user IDs. It should be left at the discretion of the organization to determine whether accountability must be enforced over possibly a subset of inactive user IDs as well. For instance, some high privileged accounts may be deactivated and reactivate as part of break-the-glass procedures. Such accounts typically require that proper ownership be defined. Account sharing Shared accounts is a well-known bad security practice that prevents traceability. We do not recommend the usage of this indicator to pursue the objective of complying with this requirement. For this objective, other indicators should be considered such as active user IDs shared by several persons or ratio of active user IDs shared by several persons. |