EXPERT RESPONSE
Keeping a void user ID isn't a recommended practice. It doesn't matter whether the user ID is of a long-gone employee, created mistakenly or used solely for test purposes. Any and all dormant user IDs should be promptly removed from your system.
This is not only an information security best practice, but it may also be required for regulatory compliance.
Let's first deal with the information security side of the issue. Inactive user IDs can come back and haunt you in the form of vengeful system access by former users. An ex-employee is considered an insider because his or her user ID may still be active, meaning it's still possible to access your systems. A former employee who leaves on bad terms may be even more likely to wreak havoc on your network than a current employee, but instead of showing up in your logs as a hostile intruder, the attacker will merely be listed among the current users.
Keeping old user IDs active for auditing purposes is also foolish. Access management systems like Active Directory (AD) can be used for tracking and logging historic activity of a user ID without having to keep an account active. There are also forensics tools that do the same.
As for compliance, regulations like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) all require regular auditing of access controls and reporting of active accounts. Auditors and regulators won't be happy if they find stale, mistaken or otherwise extraneous user IDs that are not attached to current employees when combing through your reports.
So what you describe, besides not being a best practice, could also land your company into a lot of regulatory trouble.
For more information:
Visit SearchSecurity.com's Identity and Access Management Security School to learn how to establish and maintain an effective plan for monitoring user access.
Learn the most effective methods for delivering an access control strategy to executive management.
|
