Title

The option to disable user accounts after 30 days of inactivity is not being used. (Cat III impact)

Discussion

Requirement: The IAO will ensure that user accounts are disabled after 30 days of inactivity. User accounts that are inactive for more than 30 days should be disabled by the system. Outdated or unused user accounts provide penetration points that may go undetected. Deleting or disabling these types of accounts will help to prevent unauthorized users from gaining access to the DSN system by using an old account that is not needed.

Check Content

Tekelec: rtrv-secu-dflt; UOUT=30

Fix Text

Configure systems to disable accounts that are inactive for more than 30 days, if technically feasible. If the system does not provide this functionality, the ISSO/IAO should review accounts every 30 days to ensure that only needed accounts are active.

Additional Identifiers

Rule ID: SV-8445r1_rule

Vulnerability ID: V-7959

Group Title: Inactive accounts not disabled after 30 days

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.