Skip to end of banner
Go to start of banner

OM-IND-0016: Account Ownership

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

ID

OM-IND-0016

Name

Account Ownership

Alternative Names

Status

RECOMMENDED

Indicator Version

1.0

Rationale

Provides actionable information to implement OM-BP-0001: Account Ownership.

Accountability over inactive users

The indicator expressly mentions active user IDs. It should be left at the discretion of the organization to determine whether accountability must be enforced over all or a subset of inactive user IDs as well.

For instance, some high privileged accounts may be purposefully deactivated to reduce the attack surface of systems and reactivated as part of break-the-glass procedures. Such inactive accounts typically require clear accountability.

Account sharing

Shared accounts is a well-known bad security practice that prevents traceability.

Related Indicators

Quotes

18.1. (B) (SME) Number of active user IDs assigned to only one person

(CISWG, 2005, p. 22)

See Also

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.