Orphan Accounts Cleaning

The identification and cleaning of orphan accounts is ad hoc. Accountability for the process is not clearly established and resources are not provided by the organization. The presence of orphan accounts is largely unknown.

The organization provides resources for the process. Correlation of accounts is performed but its scope is not clearly defined. Some orphan accounts are regularly identified and remediated.

Procedures define requirements applicable to the prevention, identification and remediation of orphan accounts.

Roles and responsibilities for this process are clearly established. Typical actors include IT owners, business owners, system administrators, provisioning teams, and information security.

The scope and methods used for account correlation are clearly defined. If portions of the information system are not covered by the process or infrequently covered, this is documented and related risks are accepted.

Account naming conventions are authorized, documented, and maintained.

Accounts non-compliant with the authorized naming conventions are remediated.

Golden sources for identity correlation are defined.

The discovery and correlation of accounts is preferably automated when technically feasible. When technically unfeasible, the discovery and correlation of accounts is performed manually.

The presence of uncorrelated accounts is quantified.

The coverage of the correlation process is quantified.

The delay between uncorrelated account identification and remediation is quantified.

Independant audits review both the presence of orphan accounts and the overall process.

The root causes of the presence of orphan accounts in the information system are analyzed and used to further prevent their occurence.