Q

Should void user IDs be preserved in an audit history?

In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin explains how inadequate management of user access can result in compliance violations and information security threats for a corporation.

We have been instructed in my company to never delete any ID, even if created mistakenly. By doing so, we preserve an audit history, should that ID be required in the future. This company is the only one known to me to take such an action. Is this a safe and/or recommended practice?
Keeping a void user ID isn't a recommended practice. It doesn't matter whether the user ID is of a long-gone employee, created mistakenly or used solely for test purposes. Any and all dormant user IDs should be promptly removed from your system.

This is not only an information security best practice, but it may also be required for regulatory compliance.

Let's first deal with the information security side of the issue. Inactive user IDs can come back and haunt you in the form of vengeful system access by former users. An ex-employee is considered an insider because his or her user ID may still be active, meaning it's still possible to access your systems. A former employee who leaves on bad terms may be even more likely to wreak havoc on your network than a current employee, but instead of showing up in your logs as a hostile intruder, the attacker will merely be listed among the current users.

Keeping old user IDs active for auditing purposes is also foolish. Access management systems like Active Directory (AD) can be used for tracking and logging historic activity of a user ID without having to keep an account active. There are also forensics tools that do the same.

As for compliance, regulations like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) all require regular auditing of access controls and reporting of active accounts. Auditors and regulators won't be happy if they find stale, mistaken or otherwise extraneous user IDs that are not attached to current employees when combing through your reports.

So what you describe, besides not being a best practice, could also land your company into a lot of regulatory trouble.

For more information:

  • Visit SearchSecurity.com's Identity and Access Management Security School to learn how to establish and maintain an effective plan for monitoring user access.
  • Learn the most effective methods for delivering an access control strategy to executive management.
  • This was first published in June 2007
    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close