This indicator is present in the User Identification and Authentication section of CISWG, 2005. Accountability over user IDs It is a security good practice to assign user IDs to people for accountability purposes. Accountability , and by principle, accountability is importantly weakened if when the number of accountable persons is 0 or greater than 1. In this indicator, the word assigned implies that the objective of this indicator is to monitor the assignment of user IDs to people. We But this indicator does not provide information that is actionable to pursue this objective. Hence, we do not recommend the usage of this indicator to pursue this objective. For this objective, other Other indicators should be considered such as ratio of active user IDs assigned to an accountable personwith adequate accountability. Accountability over inactive users The indicator expressly mentions active user IDs. It should be left at the discretion of the organization to determine whether accountability must be enforced over possibly all or a subset of inactive user IDs as well. For instance, some high privileged accounts may be purposefully deactivated and reactivate to reduce the attack surface of systems and reactivated as part of break-the-glass procedures. Such inactive accounts typically require that proper ownership be definedclear accountability. Account sharing Shared accounts is a well-known bad security practice that prevents traceability. We But this indicators does not provide actionable information to reduce accounts sharing. Hence, we do not recommend the usage of this indicator to pursue the objective of complying with this requirement. For this objective, other indicators should be considered such as active user IDs shared by several persons or ratio of active user IDs shared by several persons. |