Immediately revoke accesses of terminated users

Status: Live

The organization will use well defined or automated processes to immediately revoke access for temporary and emergency accounts or accounts of terminated users after a prescribed period of time. [UCF ID 00516]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 5; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 30; FFIEC IT Examination Handbook – Information Security, Pg 24, Pg 49, Exam Tier I Obj 4.1, Exam Tier II Obj A.5 (Access Rights Administration); FFIEC IT Examination Handbook – Operations, July 2004, Pg 34; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 8.2, Exam Tier II Obj 9.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 8.5.4; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-15.h; Protection of Assets Manual, ASIS International, Pg 12-IV-4, Pg 12-IV-20; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 5-313, § 8-303.f; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.7, Exhibit 4 IA-4; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.11.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AC-2(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-2.1, AC-2.5, PS-4.1; The Standard of Good Practice for Information Security, CB3.1.5(d), CI4.3.5, UE2.1.6(c); ISO 17799:2005 Code of Practice for Information Security Management, § 11.2.1; ISO/IEC 27002-2005 Code of practice for information security management, § 11.2.1; OECD / World Bank Technology Risk Checklist, Version 7.3, § IV.11; Australian Government ICT Security Manual (ACSI 33), § 3.6.18; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 8.5.4; Archer Control Table, ATCS-076, ATCS-328, ATCS-793; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 4; Italy Personal Data Protection Code, Annex B.8

Banking and Finance Guidance

The organization should immediately remove user account access when the user is no longer authorized to access the system. [Pg 5, FFIEC Guidance on Authentication in an Internet Banking Environment]

When an employee is terminated, his/her access should be immediately removed. [Pg 30, FFIEC IT Examination Handbook – E-Banking, August 2003]

Access rights should be promptly removed when an employee leaves the organization. [Pg 24, Pg 49, Exam Tier I Obj 4.1, Exam Tier II Obj A.5 (Access Rights Administration), FFIEC IT Examination Handbook – Information Security]

The organization should have procedures in place for immediately changing and/or revoking all physical and logical access controls when an employee is terminated for any reason. [Pg 34, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 8.2, Exam Tier II Obj 9.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Payment Card Guidance

The organization must ensure it has developed a password and user authentication management program that requires immediately revoking the access of all terminated users.
Examine a sample of terminated employees over the last 6 months to verify terminated employee userIDs have been removed or disabled.
Interview security personnel to ensure they remove userIDs immediately when a user has been terminated. [§ 8.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must ensure it has developed a password and user authentication management program that requires immediately revoking the access of all terminated users. [§ 8.5.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Passwords should be disabled when users are transferred, retire, or discharged or no longer need access to the data. [§ 2-15.h, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization should ensure userIDs and passwords for employees who have been terminated or reassigned are disabled immediately. [Pg 12-IV-4, Pg 12-IV-20, Protection of Assets Manual, ASIS International]

When an individual who has access to a classified area is reassigned, terminated, or transferred, or his/her clearance level is suspended or revoked, his/her access authorization must be removed. [§ 5-313, § 8-303.f, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

User accounts must be disabled in a timely manner when no longer necessary. [§ 5.6.7, Exhibit 4 IA-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.11.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The information system needs to automatically terminate temporary and emergency account after an organizational predefined period for each type of account. [AC-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure the user accounts of terminated employees have been disabled and removed from the system in accordance with documented procedures. [AC-2.1, AC-2.5, PS-4.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

US State Laws and Protectorates Guidance

Remove access privileges of former employees and contractors immediately. [Part I ¶ 4, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

Users who have changed jobs or left the organization should have their access rights removed immediately. [§ 11.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

Users who have changed jobs or left the organization should have their access rights removed immediately. [§ 11.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

User access rights to an application should be revoked immediately when the user no longer needs access to the application. [CB3.1.5(d), CI4.3.5, UE2.1.6(c), The Standard of Good Practice for Information Security]

EU Guidance

Access ought to be restricted to the minimum amount necessary to complete a certain job. Further, access controls should be monitored. [§ IV.11, OECD / World Bank Technology Risk Checklist, Version 7.3]

Other European and African Guidance

When a person in charge of processing is disqualified from accessing personal data, his/her authentication credentials must be deactivated also. [Annex B.8, Italy Personal Data Protection Code]

Asia and Pacific Rim Guidance

User accounts should be removed from the system as soon as a user leaves the organization or changes roles. [§ 3.6.18, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of computer user accounts assigned to personnel who have left the organization or no longer have need for access that have been closed [UCF Control ID 02090]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.