Security Control 16:
Account Monitoring and Control

Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

16.1

All non-administrator accounts should be required to have a minimum length of 8 characters, contain letters, numbers, and special characters, be changed at least annually, and not be allowed to use previous passwords.

REQ REQ REQ

16.2

After six consecutive failed log-on attempts, the account should be locked for 30 minutes.

REQ REQ REC

16.3

Periodically review all system accounts and disable any account that cannot be associated with a business process and owner.

REQ REQ REC

16.4

Regularly review for locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire.

[additional details]

When feasible, generate these reports automatically.

REQ REQ REC

16.5

Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor.

REQ REQ REC

16.6

Automatically lock access or logoff users after 15 minutes of inactivity.

REQ REQ REC

16.7

On a periodic basis, such as quarterly but at least annually, managers match active employees and contractors with each account belonging to their managed staff.

[additional details]

Security or system administrators should then disable accounts that are not assigned to active employees or contractors.

REQ REQ REC

16.8

Monitor unusual activity through audit logging.

REQ REQ REC

16.9

Monitor attempts to access deactivated accounts through audit logging.

REQ REQ REC

16.10

Monitor account usage to determine dormant accounts that have not been used for a given period, such as quarterly, notifying the user or user's manager of the dormancy.

[additional details]

After a longer period, such as 6 months, the account should be disabled.

REQ REC OPT

16.11

When a dormant account is disabled, any files associated with that account should be encrypted and moved to a secure file server for archiving or securely deleted.

REQ REC OPT

Additional Reading