OM-BP-0001: Account Ownership (Best Practice)
ID | OM-BP-0001 |
---|---|
Name | Account Ownership |
Status | Active |
Version |
|
Best Practice | Every account has a designated owner held accountable for the account lifecycle and usage |
Rationale
By definition, a user account or principal may perform operations on systems and operations constitute an inherent risk.
A user account requires oversight during its lifecycle. For instance:
its password may need to be reset,
it must be deactivated or deleted when no longer needed,
someone must be available to answer questions regarding it,
someone must have authority to take decisions regarding it.
Hence, clear ownership must be assigned on user accounts.
Inactive Accounts
It would be wrong to consider that inactive accounts do not need an owner.
For instance, there are undeletable native accounts that are deactivated to reduce the attack surface of the operating system. Break-the-glass procedures make it possible to reactivate the native account to execute an authorized operation. Such accounts obviously need an owner.
Also, when an account is deactivated as part of the leaver process, the original account owner is no longer here to speak for that account. Would the organization need to reactivate the account for administrative or technical reasons (e.g. to regain access to a particular resource), we would need an account owner as well.
Bad Practices
Accounts with no owner
Accounts with 2 or more owners (see below’s note on deputy or backup owners)
Implementation Details
Issue an account management policy including:
clear description of exhaustive account categories
description of how ownership is assigned and maintained for all account categories
description of the rules for ownership over inactive accounts
requirement for all employees to report non-compliant accounts with clear communication channels
Assure you have record systems to maintain information on account owners
Manage exceptions with a structured process
Implement controls to ensure this best practice is complied with
If deputy or backup owners are designated, traceability of account usage must be assured. A PAM system, for example, may provide that traceability
Quotes
AC-2 ACCOUNT MANAGEMENT
Control: The organization:
(…) b. Assigns account managers for information system accounts; (…)
(NIST SP 800-53 R4, 2013, p. F-7)
See Also
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.