OM-IND-0015: Active user IDs assigned to only one person

Owned by David Doret
Last updated: 15-40-2020
2 min read

ID

OM-IND-0015

Name

Active user IDs assigned to only one person

Alternative Names

  • Active accounts | principals | user accounts assigned to only one person

  • Number of active user IDs assigned to only one person

  • Number of active user IDs owned by only one person

  • Number of active user IDs assigned to only one entity

  • Active user IDs assigned to only one person

Status

Not recommended

Indicator Version

1.0

Rationale

This indicator is present in the User Identification and Authentication section of .

Accountability over user IDs

It is a security good practice to assign user IDs to people for accountability purposes, and by principle, accountability is importantly weakened when the number of accountable persons is 0 or greater than 1.

In this indicator, the word assigned implies that the objective of this indicator is to monitor the assignment of user IDs to people. But this indicator does not provide information that is actionable to pursue this objective. Hence, we do not recommend the usage of this indicator to pursue this objective. Other indicators should be considered such as ratio of user IDs with adequate accountability.

Accountability over inactive users

The indicator expressly mentions active user IDs. It should be left at the discretion of the organization to determine whether accountability must be enforced over all or a subset of inactive user IDs as well.

For instance, some high privileged accounts may be purposefully deactivated to reduce the attack surface of systems and reactivated as part of break-the-glass procedures. Such inactive accounts typically require clear accountability.

Account sharing

Shared accounts is a well-known bad security practice that prevents traceability. But this indicators does not provide actionable information to reduce accounts sharing. Hence, we do not recommend the usage of this indicator to pursue the objective of complying with this requirement.

For this objective, other indicators should be considered such as active user IDs shared by several persons or ratio of active user IDs shared by several persons.

Related Indicators

Add better indicator to pursue the no account sharing objective.

Quotes

18.1. (B) (SME) Number of active user IDs assigned to only one person

(, p. 22)

See Also

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.