Inactive Profiles

 

Individual user profiles that were created for persons who are no longer affiliated with the company should be deleted as soon as possible. There should be a process in place to delete or disable profiles immediately once employment or contracts with the company are terminated.

 

Deleting old and disabled user profiles from the system will simplify system management and can potentially increase overall system performance by eliminating unnecessary authority lookups. Unused profiles could become enabled and/or compromised at a later date, and visibility of that event would be poor due to the fact that these profiles are not used on a regular basis.

 

This list of system user profiles should be carefully reviewed. User profiles that should be active, but never used to sign-on to the system should have their password set to *NONE.

 

PowerTech Recommendations

Use the Compliance Monitor 'Inactive Profiles' report to monitor all inactive profiles.

 

Inactive Profiles

Click to view expanded excerpt from report

 

 

Delete profiles that were created for former employees.   Review the list of profiles and delete those that are not needed.  Profiles that are needed, but are not used by anyone to signon, should be enabled but their passwords should be set to *NONE.

 

 

Relevant Standards:

 

COBIT DS5.3 - Identity Management

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements.

 

COBIT DS5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included.

 

COBIT DS5.5 - Security Testing, Surveillance and Monitoring

Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed.

 

ISO 27002 (17799) 11.2.1 - User Registration

There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.

 

ISO 27002 (17799) 11.2.4 - Review of User Access Rights

Management should review users' access rights at regular intervals using a formal process.

 

.