thePCI Portal

The Mandela Effect and Inactive accounts

What makes a user account “inactive”?

I think most QSAs would say “any account not used with in 90 days”.

I think these QSAs would also say that the PCI DSS (v3.2.1) actually defines an inactive account as one that has not been used within 90 days.  But maybe this definition is from the Mandela Effect.  The Mandela effect is one of those “alternate memories” that we believe happened but is incorrect (like Nelson Mandela died in prison). The PCI DSS standards document does not actually define what an inactive is (clearly anway) as the table below illustrates.  Neither does the ROC template.

 

What does the 90 day period refer to? the account’s inactivity OR the process to remove inactive accounts?  or both?

 

DSS or ROC Text Refers to the process to remove inactive accounts Refers to the account’s inactivity Not clear what the 90 days refers to
From the DSS:  DSS Requirement

8.1.4 Remove/disable inactive user accounts within 90 days.

X
From the DSS: Testing Procedures

8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.

X
From the DSS: Guidance Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data. X
From the ROC: 8.1.a 

Identify the written procedures for user identification management examined to verify processes are defined for each of the items below at 8.1.1 through 8.1.8:

•            Remove/disable inactive user accounts at least every 90 days.

X
From the ROC:  8.1.4 Remove/disable inactive user accounts within 90 days. X
From the ROC: Requirement and Testing Procedure

8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.

X
From the ROC: Reporting Instruction

Describe how user accounts were observed to verify that any inactive accounts over 90 days old are either removed or disabled.

X

Maybe we need to look around to see if there was a historical definition in an old version of DSS?

Current online Glossary:  no mention of “inactive”

PCI DSS v3.2 Glossary: no mention of “inactive”

PCI DSS v2 Glossary: no mention of “inactive”

PCI DSS v2:  same wording as v3.2.1.

Turns out there is an FAQ with the definition that solves the riddle for us!

The FAQ  article 1066 (May 2014)

https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-is-an-inactive-user-account-as-used-in-PCI-DSS-Requirement-8-1-4?q=inactive&l=en_US&fs=Search&

An inactive user account is one that has not been used in over 90 days. Inactive accounts are often targets for attackers since they are generally not monitored, and changes to the accounts (such as a changed password) could easily go unnoticed.

Removing or disabling inactive accounts reduces the risk that they will be used to gain unauthorized access to the environment.

Mystery solved!  Now to figure out how often to check for inactive accounts!  😉

Ad below this line:

 

 

Leave a Reply