AC-02 Account Management

Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency, at least annually].

Supplemental Guidance: Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations. The organization identifies authorized users of the information system and specifies access rights/privileges. The organization grants access to the information system based on: (i) a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria; and (ii) intended system usage. The organization requires proper identification for requests to establish information system accounts and approves all such requests. The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts. Account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users information system usage or need-to-know/need-to-share changes.

Control Enhancements:

(1) The organization employs automated mechanisms to support the management of information system accounts.

(2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

(3) The information system automatically disables inactive accounts after [Assignment: organization- defined time period].

(4) The organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions and to notify, as required, appropriate individuals.

Baseline: LOW AC-2 MOD AC-2 (1) (2) (3) (4) HIGH AC-2 (1) (2) (3) (4)

Family: Access Control

Class: Technical

ISO 17799 mapping: 6.2.2, 6.2.3, 8.3.3, 11.2.1, 11.2.2, 11.2.4, 11.7.2

COBIT 4.1 mapping: DS5.4

PCI-DSS v2 mapping: 7.1.3