Dünya’daki Kanun ve Standartlara Göre SIEM Korelasyonları

16 min readAug 20, 2023

Son yıllarda SIEM çözümlerinin canlı logları ne kadar süre saklaması gerektiği ve arşiv logların da ne kadar süre saklaması gerektiği ile ilgili kanun, emir ve standartlar net olarak yayınlandı ve dünyada artık uygulamada [1,2,3,4,5,6,7,8,9]. Bununla birlikte SIEM çözümlerinin korelasyon yetenekleri ile ilgili olan kanun, emir ve standartlar pek bilinmiyor veya çok göz önünde değil.

SIEM açısından korelasyon olmazsa olmaz bir özelliktir. Bir SIEM ürününün korelasyon yeteneği ne kadar iyi ise siber saldırılara karşı savaşta elinizi o kadar güçlendirir. Bu sebepten dolayı siber güvenlikle ilgili kanun, politika, tebliğ veya standartlarda SIEM korelasyonlarına atıflar vardır. Örneğin Federal Risk ve Yetkilendirme Programı (FedRamp), federal hükümet bilgi sistemleri için bir hükümet risk yönetimi girişimi aşağıdaki gibi bir gereklilik ortaya koymuştur.

FedRAMP Moderate; Control AC-2(3) : If an account not used in at least the last 30 days (31,40,60,90,180 days etc.), notify/lock/delete the account.

Yukarıdaki kontrol eğer bir kullanıcı şirketin belirleyeceği bir süre (30,33,40,60,90,180 gün vb) kullanılmıyorsa otomatik olarak silinmesini söyler. Bu tam bir SIEM korelasyon senaryosudur.

Bu senaryonun bir diğer özelliği de geleneksel, temel SIEM korelasyonlarından farklı oluşudur. Geleneksel SIEM senaryolarında alışılagelmiş senaryolar “X süre içinde Y olayı olursa” veya “X süre içinde Z kadar Y olayı olursa” şeklinde olup X süre içinde formatında yani eşik değeri olarak üst limit belirlenen kurallardır. Örnek:

· Aynı kullanıcı 5 dakika içinde 3’den fazla başarısız oturum denemesi yaparsa tespit et

FedRAMP Moderate de istenen ise senaryoda ise eşik değeri olarak alt limit var ama üst limitin sonsuz (∞) olması.

SIEM korelasyonları gerektiren diğer bir standart örneği NIST 800–53 dir [11], NIST 800–53 Amerika Birleşik Devletleri Ulusal Standartlar ve Teknoloji Enstitüsü’nün (NIST) Bilgi Teknolojisi Sistemlerinin Güvenliğini Değerlendirme ve İyileştirme Çerçevesi’nin bir parçası olan bir belgedir. NIST 800–53 aşağıdaki gibi bir gereklilik ortaya koymuştur.

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

Yukarıdaki örneklerde senaryo account olarak takip isterken burada aynı zamanda MAC adresi ile bilgisayarları da takip etmek ve aynı şekilde eğer bir makina şirketin belirleyeceği bir süre (30,33,40,60,90,180 gün vb) kullanılmıyorsa otomatik olarak tespit edilmelidir aksi halde bu ciddi bir güvenlik zafiyeti olabilir ve bu tam bir SIEM korelasyon senaryosudur.

Aşağıdaki tabloda dünyadaki regülasyonlardan SIEM korelasyonlarının çıkarılabileceği, geliştirilebileceği madde örneklerini bulabilirsiniz [12]:

The organization should disable IDs that have not been used for a specified period of time to protect the system and data against unauthorized use.. (T36.2(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
On a periodic basis, say monthly or quarterly basis, banks should require that managers match active employees and contractors with each account belonging to their managed staff. Security/system administrators should then disable accounts that are not assigned to active employees or contractors. (Critical components of information security 17) xii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Banks should monitor account usage to determine dormant accounts that have not been used for a given period, say 15 days, notifying the user or user’s manager of the dormancy. After a longer period, say 30 days, the account may be disabled. (Critical components of information security 17) xi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Banks should frequently review all system accounts and disable any account that cannot be associated with a business process and business owner. Reports that may be generated from systems and reviewed frequently may include, among others, a list of locked out accounts, disabled accounts, accounts wi… (Critical components of information security 17) viii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Access to systems, applications and data repositories is removed or suspended after one month of inactivity. (Security Control: 1404; Revision: 2, Australian Government Information Security Manual)
DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed. (Security Control: 1247; Revision: 2, Australian Government Information Security Manual)
remove all non-essential accounts, applications and data (Security Control: 1555; Revision: 0; Bullet 3, Australian Government Information Security Manual)
The organization must remove or disable unused accounts to reduce potential vulnerabilities. (Control: 0383 Bullet 1, Australian Government Information Security Manual: Controls)
The organization must suspend or remove all inactive accounts after a predetermined period of time. (Control: 0430 Bullet 4, Australian Government Information Security Manual: Controls)
Inactive accounts should be removed from the system after a predetermined period of time. (§ 3.6.18, Australian Government ICT Security Manual (ACSI 33))
Have you ensured that all your laptops, computers, servers, tablets, and mobile devices only contain necessary user accounts that are regularly used in the course of your business? (A5.2., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
Are unnecessary user accounts on internal workstations (or equivalent Active Directory Domain) (eg Guest, previous employees) removed or disabled? (Secure configuration Question 9, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
Are user accounts removed or disabled when no longer required (e.g. when an individual changes role or leaves the organization) or after a predefined period of inactivity (e.g. 3 months)? (Access control Question 34, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
Authentication credentials that have not been used for at least 6 months must be deactivated, except the authentication credentials exclusively authorized for technical management purposes. (Annex B.7, Italy Personal Data Protection Code)
The entity has established policies and procedures and technical specifications and requirements for the configuration and credentialing of users and systems prior to granting logical access to information and data about internally and externally managed infrastructure-based platforms, devices and s… (S7.1 Manages credentials for infrastructure and software, Privacy Management Framework, Updated March 1, 2020)
A check should be made for extraneous accounts and, if found, they should be deleted from the system. (§ 2.7, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
Verify that inactive user accounts over 90 days old are either removed or disabled. (§ 8.5.5, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Examine user accounts to verify accounts that have been inactive for 90 days or more are disabled or removed. (Testing Procedures § 8.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures — Testing Procedures, 3)
Remove or disable inactive accounts within 90 days. (§ 8.5.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify that inactive accounts over 90 days old are either removed or disabled. (§ 8.5.5 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Inactive user accounts must be removed or disabled at least every 90 days. (PCI DSS Requirements § 8.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Remove/disable inactive user accounts within 90 days. (8.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Remove/disable inactive user accounts within 90 days. (8.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Remove/disable inactive user accounts within 90 days. (8.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Are inactive user accounts either removed or disabled within 90 days? (8.1.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are inactive user accounts either removed or disabled within 90 days? (8.1.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are inactive user accounts either removed or disabled within 90 days? (8.1.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are inactive user accounts either removed or disabled within 90 days? (8.1.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are inactive user accounts either removed or disabled within 90 days? (8.1.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled. (8.1.4, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Inactive user accounts are removed or disabled within 90 days of inactivity. (8.2.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine user accounts and last logon information, and interview personnel to verify that any inactive user accounts are removed or disabled within 90 days of inactivity. (8.2.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Are inactive user accounts over 90 days old either removed or disabled? (PCI DSS Question 8.1.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are inactive user accounts over 90 days old either removed or disabled? (PCI DSS Question 8.1.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Inactive user accounts are removed or disabled within 90 days of inactivity. (8.2.6, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Inactive user accounts are removed or disabled within 90 days of inactivity. (8.2.6, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Inactive user accounts are removed or disabled within 90 days of inactivity. (8.2.6, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Offboarding is a process where identities no longer requiring access rights are identified, deactivated or disabled, reviewed to ensure that they are inactive, and then deleted after a predetermined amount of time. (§ 3.2.3, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
Monitor account usage to determine dormant accounts, notifying the user or userâs manager. Disable such accounts if not needed, or document and monitor exceptions (e.g., vendor maintenance accounts needed for system recovery or continuity operations). Require that managers match active employees a… (Control 16.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The organization should disable dormant accounts after a named time period. (Critical Control 16.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Security personnel or System Administrators should disable non-active accounts. (Critical Control 16.10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Disable any account that cannot be associated with a business process or business owner. (CIS Control 16: Sub-Control 16.8 Disable Any Unassociated Accounts, CIS Controls, 7.1)
Automatically disable dormant accounts after a set period of inactivity. (CIS Control 16: Sub-Control 16.9 Disable Dormant Accounts, CIS Controls, 7.1)
Disable any account that cannot be associated with a business process or business owner. (CIS Control 16: Sub-Control 16.8 Disable Any Unassociated Accounts, CIS Controls, V7)
Automatically disable dormant accounts after a set period of inactivity. (CIS Control 16: Sub-Control 16.9 Disable Dormant Accounts, CIS Controls, V7)
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. (CIS Control 5: Safeguard 5.3 Disable Dormant Accounts, CIS Controls, V8)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Is an inactive User ID deleted or disabled in 90 days? (§ H.2.2, Shared Assessments Standardized Information Gathering Questionnaire — H. Access Control, 7.0)
The organization must monitor inactive user accounts and automatically remove them when they are not needed or after 30 days. (CSR 2.9.18, Pub 100–17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The SRR Toolkit report identifies accounts that have been inactive for 35 days and have never been signed on to. The Information Assurance Officer should identify these userids and implement corrective actions. (§ 3.1.4.4, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
The Information Assurance Officer must periodically check the network for unused/expired accounts and remove them from the network. (§ 6.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
Enabled accounts not logged into within 35 days should be considered dormant accounts, with the exception of the following: Built-in Administrator account; Built-in Guest account; Application accounts; the “IUSR”-guest account; and Disabled accounts. (§ 5.7.1.4, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
Accounts which have not been logged into within 35 days should be considered dormant and should be removed from the system. The following accounts are exempt: the Built-in Administrator account; the Built-in Guest account; Application accounts; the “IUSR”-guest account; and Disabled accounts. (§ 3.9.1 (4.019), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
Accounts that have not been logged into within 35 days should be considered dormant and should be removed from the system. The following accounts are exempt: the Built-in Administrator account; the Built-in Guest account; Application accounts; the “IUSR”-guest account; and Disabled accounts. (§ 5.7.1.4, DISA Windows XP Security Checklist, Version 6 Release 1.11)
Disable identifiers after a defined period of inactivity. (IA.3.086, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Disable identifiers after a defined period of inactivity. (IA.3.086, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Disable identifiers after a defined period of inactivity. (IA.3.086, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Disable identifiers after a defined period of inactivity. (IA.L2–3.5.6 Identifier Handling, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
The organization must promptly deactivate any accounts that are designated as inactive, suspended, or terminated. (IAAC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
An agency shall disable User Identifiers after a stated period of inactivity. (§ 5.6.3.1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140–5.2, Version 5.2)
Disable the user identifier after a specified period of inactivity. (§ 5.6.3.1 1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140–5.8, Version 5.8)
The service provider must define the inactive time period for device identifiers. (Column F: IA-4e, FedRAMP Baseline Security Controls)
The joint authorization board must approve and accept the inactive time period for device identifiers. (Column F: IA-4e, FedRAMP Baseline Security Controls)
The information system automatically disables inactive accounts after [FedRAMP Assignment: 35 days for user accounts]. (AC-2(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The information system automatically disables inactive accounts after [FedRAMP Assignment: 90 days for user accounts]. (AC-2(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Are in violation of organizational policy; or (AC-2(3) 1(c), FedRAMP Security Controls High Baseline, Version 5)
Have expired; (AC-2(3) 1(a), FedRAMP Security Controls High Baseline, Version 5)
Are no longer associated with a user or individual; (AC-2(3) 1(b), FedRAMP Security Controls High Baseline, Version 5)
Disable accounts within [FedRAMP Assignment: 24 hours for user accounts] when the accounts: (AC-2(3) 1, FedRAMP Security Controls High Baseline, Version 5)
Have been inactive for [FedRAMP Assignment: thirty-five (35) days]. (See additional requirements and guidance.) (AC-2(3) 1(d), FedRAMP Security Controls High Baseline, Version 5)
Are in violation of organizational policy; or (AC-2(3) 1(c), FedRAMP Security Controls Moderate Baseline, Version 5)
Have expired; (AC-2(3) 1(a), FedRAMP Security Controls Moderate Baseline, Version 5)
Are no longer associated with a user or individual; (AC-2(3) 1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
Disable accounts within [FedRAMP Assignment: 24 hours for user accounts] when the accounts: (AC-2(3) 1, FedRAMP Security Controls Moderate Baseline, Version 5)
Have been inactive for [FedRAMP Assignment: ninety (90) days]. (See additional requirements and guidance.) (AC-2(3) 1(d), FedRAMP Security Controls Moderate Baseline, Version 5)
Inactive accounts must have the password disabled after 90 days of inactivity. (Exhibit 8 Control 05, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Are inactive accounts removed from each group? (IT — Networks Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Are in violation of organizational policy; or (AC-2(3) 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, High Impact Baseline, October 2020)
Have expired; (AC-2(3) 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, High Impact Baseline, October 2020)
Have been inactive for [Assignment: organization-defined time period]. (AC-2(3) 1(d), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, High Impact Baseline, October 2020)
Are no longer associated with a user or individual; (AC-2(3) 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, High Impact Baseline, October 2020)
Disable accounts within [Assignment: organization-defined time period] when the accounts: (AC-2(3) 1, Control Baselines for Information Systems and Organizations, NIST SP 800–53B, High Impact Baseline, October 2020)
Are no longer associated with a user or individual; (AC-2(3) 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, Moderate Impact Baseline, October 2020)
Are in violation of organizational policy; or (AC-2(3) 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, Moderate Impact Baseline, October 2020)
Disable accounts within [Assignment: organization-defined time period] when the accounts: (AC-2(3) 1, Control Baselines for Information Systems and Organizations, NIST SP 800–53B, Moderate Impact Baseline, October 2020)
Have expired; (AC-2(3) 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, Moderate Impact Baseline, October 2020)
Have been inactive for [Assignment: organization-defined time period]. (AC-2(3) 1(d), Control Baselines for Information Systems and Organizations, NIST SP 800–53B, Moderate Impact Baseline, October 2020)
Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
A list of recently disabled accounts should be examined against a system-generated report to ensure the accounts have not been logged onto after the account was disabled. Organizational records and documents should be examined to ensure the system is configured to automatically disable inactive acco… (AC-2.4, AC-2(3), AC-2.18, IA-4.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800–53A)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization should review active smart grid Information System accounts on a defined frequency to verify that terminated users, transferred users, and temporary accounts have been deactivated. (SG.AC-3 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The smart grid Information System should automatically disable all inactive accounts after a predefined time period. (SG.AC-3 Additional Considerations A5, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Disable identifiers after a defined period of inactivity. (3.5.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800–171)
Disable identifiers after a defined period of inactivity. (3.5.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800–171, Revision 1)
Disable identifiers after a defined period of inactivity. (3.5.6, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800–171, Revision 2)
The organization should automatically disable inactive accounts after a specified time. (App F § AC-2(3), Recommended Security Controls for Federal Information Systems, NIST SP 800–53)
The organization must manage system identifiers for devices and users by disabling the User Identifier after a predefined period of inactivity. (App F § IA-4.e, Recommended Security Controls for Federal Information Systems, NIST SP 800–53)
The organization must manage Information System accounts by establishing, activating, modifying, disabling, and removing accounts. (App F § AC-2.e, Recommended Security Controls for Federal Information Systems, NIST SP 800–53)
The organization must manage Information System accounts by deactivating accounts that are no longer required. (App F § AC-2.h(i), Recommended Security Controls for Federal Information Systems, NIST SP 800–53)
The information system automatically disables inactive accounts after {organizationally documented time period}. (AC-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Deprecated, Revision 4, Deprecated)
The organization manages information system identifiers by disabling the identifier after {organizationally documented time period of inactivity}. (IA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Deprecated, Revision 4, Deprecated)
The information system automatically disables inactive accounts after {organizationally documented time period}. (AC-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization manages information system identifiers by disabling the identifier after {organizationally documented time period of inactivity}. (IA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization manages information system identifiers by disabling the identifier after {organizationally documented time period of inactivity}. (IA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The information system automatically disables inactive accounts after {organizationally documented time period}. (AC-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization manages information system identifiers by disabling the identifier after {organizationally documented time period of inactivity}. (IA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, High Impact Baseline, Revision 4)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Moderate Impact Baseline, Revision 4)
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. (AC-2(3) 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800–53, Revision 4)
Are in violation of organizational policy; or (AC-2(3) 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800–53, Revision 5)
Have expired; (AC-2(3) 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800–53, Revision 5)
Disable accounts within [Assignment: organization-defined time period] when the accounts: (AC-2(3) 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800–53, Revision 5)
Have been inactive for [Assignment: organization-defined time period]. (AC-2(3) 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800–53, Revision 5)
Are no longer associated with a user or individual; (AC-2(3) 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800–53, Revision 5)
Ensure that user accounts are modified, deleted, or de-activated expeditiously for personnel who no longer require access or are no longer employed by the company. (Table 2: Access Control Baseline Security Measures Cell 2, Pipeline Security Guidelines)
Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(1)(d), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
The information system automatically disables inactive accounts after [TX-RAMP Assignment: 90 days for user accounts]. (AC-2(3) 1, TX-RAMP Security Controls Baseline Level 2)