Controls

Terug naar overzicht
Version

SB.9.002 Account lock-out

Identity & Access Management
Low
Low
nvt
Organisation
v2.0 (Q1 2024)

After a period of 45 days of inactivity or at the end date of a formal relation with the organisation for which the account was provided, accounts are automatically blocked.

After 90 days the account is deleted or stripped of all authorisations.

Unblocking accounts follows the same approval process for requesting access as Joiner/Mover situations.

Specification

Account details can persist in logging if required by organisational retention periods.

Deletion of accounts should not lead to a deletion of logs that need to be retained or items that were assigned. In such cases, overwriting the identifier with a random ID is often advisable.

ISO 27001 & 27002:2022

A5.2,
A5.3,
A5.15,
A5.16,
A5.17,
A5.18,
A8.2

SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)

ID.01 Access rules