Problem solve Get help with specific problems with your technologies, process and projects.

Should void user IDs be preserved in an audit history?

In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin explains how inadequate management of user access can result in compliance violations and information security threats for a corporation.

We have been instructed in my company to never delete any ID, even if created mistakenly. By doing so, we preserve an audit history, should that ID be required in the future. This company is the only one known to me to take such an action. Is this a safe and/or recommended practice?
Keeping a void user ID isn't a recommended practice. It doesn't matter whether the user ID is of a long-gone employee, created mistakenly or used solely for test purposes. Any and all dormant user IDs should be promptly removed from your system.

This is not only an information security best practice, but it may also be required for regulatory compliance.

Let's first deal with the information security side of the issue. Inactive user IDs can come back and haunt you in the form of vengeful system access by former users. An ex-employee is considered an insider because his or her user ID may still be active, meaning it's still possible to access your systems. A former employee who leaves on bad terms may be even more likely to wreak havoc on your network than a current employee, but instead of showing up in your logs as a hostile intruder, the attacker will merely be listed among the current users.

Keeping old user IDs active for auditing purposes is also foolish. Access management systems like Active Directory (AD) can be used for tracking and logging historic activity of a user ID without having to keep an account active. There are also forensics tools that do the same.

As for compliance, regulations like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) all require regular auditing of access controls and reporting of active accounts. Auditors and regulators won't be happy if they find stale, mistaken or otherwise extraneous user IDs that are not attached to current employees when combing through your reports.

So what you describe, besides not being a best practice, could also land your company into a lot of regulatory trouble.

For more information:

  • Visit SearchSecurity.com's Identity and Access Management Security School to learn how to establish and maintain an effective plan for monitoring user access.
  • Learn the most effective methods for delivering an access control strategy to executive management.
  • This was last published in June 2007

    Dig Deeper on Privileged access management

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.