An error occurred:

Check: SRG-APP-000234-MAPP-NA

Mobile Application SRG: SRG-APP-000234-MAPP-NA (in version v1 r1)

Title

The application must automatically terminate emergency accounts after an organization defined time period for each type of account. (Cat II impact)

Discussion

Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. In the event emergency application accounts are required, the application must ensure that accounts that are designated as temporary in nature shall automatically terminate these accounts after an organization-defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or application data compromised. To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. Such an integration allows the application developer to off-load those access control functions and focus on core application features and functionality. Examples of enterprise level authentication/access mechanisms include but are not limited to Active Directory and LDAP. The application must provide or utilize a mechanism to automatically terminate accounts that have been designated as temporary or emergency accounts after an organization defined time period. Rationale for non-applicability: This SRG applies to single-user applications. There is no possibility of emergency accounts in these applications.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-46878r1_rule

Vulnerability ID: V-35591

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001682

Automatically remove or disable emergency accounts after an organization-defined time period for each type of account.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-2(2)

Removal of Temporary / Emergency Accounts