Are shared accounts (info@, admin@) avoided where possible?
Demonstrate that the organization minimizes or eliminates the use of shared accounts, ensures individual accountability through unique user identifiers, and applies compensating controls where shared accounts are operationally unavoidable.
Description
What this control does
This control ensures that shared or generic email accounts (e.g., info@company.com, admin@domain.com, support@) are avoided in favor of individual user accounts with unique identifiers. Shared accounts prevent proper attribution of actions, violate accountability principles, and complicate credential rotation and access revocation. Where shared accounts must exist for operational reasons (e.g., public contact addresses), they should be monitored, have restricted privileges, and not be used for system authentication or administrative functions.
Control objective
What auditing this proves
Demonstrate that the organization minimizes or eliminates the use of shared accounts, ensures individual accountability through unique user identifiers, and applies compensating controls where shared accounts are operationally unavoidable.
Associated risks
Risks this control addresses
- Inability to attribute actions to specific individuals during forensic investigations or audit reviews, obscuring accountability trails
- Increased credential exposure risk as multiple users share the same password, expanding the attack surface for credential theft or unauthorized disclosure
- Delayed or incomplete access revocation when personnel depart, since shared credentials cannot be removed without affecting all remaining users
- Compromise of one user's behavior enables all users sharing the account to claim plausible deniability for malicious or negligent actions
- Bypassing of multifactor authentication enforcement or session controls designed for single-user sessions, weakening authentication posture
- Difficulty enforcing password policies, rotation schedules, and complexity requirements when credentials are distributed across multiple individuals
- Insider threat actors can conduct unauthorized activities under shared credentials, complicating detection and prosecution
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all active user accounts, email addresses, and service accounts from identity management systems, Active Directory, email servers, and application databases.
- Filter the account inventory to identify accounts with generic naming patterns (info@, admin@, support@, shared@, team@, dept@, group@) or accounts documented as shared in provisioning records.
- Interview IT administrators and business process owners to confirm which accounts are genuinely shared versus distribution lists, mail-enabled groups, or role-based mailboxes that do not provide authentication credentials.
- For each identified shared account, review access logs and authentication records over the past 90 days to determine if multiple unique individuals have authenticated using the same credential set.
- Examine documented business justifications or exception approvals for any shared accounts retained for operational necessity, verifying that compensating controls are defined and implemented.
- Verify that shared accounts flagged as exceptions have restricted privileges, are excluded from administrative roles, and are subject to enhanced monitoring such as centralized logging or alerting rules.
- Test a sample of user provisioning and deprovisioning records to confirm that departing employees do not have continued access via shared accounts they previously used.
- Review identity governance policies and standards to confirm written requirements prohibiting shared accounts and establishing criteria for exceptions, approval workflows, and periodic re-evaluation.