Disable / decommission stale accounts
Demonstrate that the organization consistently identifies, reviews, and disables or removes accounts that have exceeded defined inactivity thresholds or are no longer required for business purposes.
Description
What this control does
This control requires organizations to identify and disable or decommission user, service, and system accounts that have been inactive for a defined period or are associated with terminated personnel, completed projects, or retired systems. Automation typically scans authentication logs to flag accounts exceeding the dormancy threshold (commonly 30, 60, or 90 days), triggering workflow for review and deactivation. Timely removal of stale accounts reduces the exploitable attack surface and prevents credential stuffing, lateral movement, and privilege escalation via forgotten or unmonitored access pathways.
Control objective
What auditing this proves
Demonstrate that the organization consistently identifies, reviews, and disables or removes accounts that have exceeded defined inactivity thresholds or are no longer required for business purposes.
Associated risks
Risks this control addresses
- Unauthorized access via credentials from terminated employees whose accounts remain active after departure
- Lateral movement by attackers exploiting dormant service accounts with excessive privileges that are no longer monitored
- Credential stuffing attacks succeeding against inactive accounts with weak or reused passwords
- Privilege escalation through compromise of orphaned administrative accounts no longer tied to responsible owners
- Compliance violations and audit findings due to retention of unnecessary accounts beyond regulatory retention periods
- Shadow IT persistence where project-based accounts outlive their approved usage window and accumulate entitlements
- Insider threat actors reactivating dormant accounts to obfuscate attribution during malicious activity
Testing procedure
How an auditor verifies this control
- Obtain the organization's policy and procedure documents defining inactivity thresholds, review cycles, and decommissioning processes for user, service, and privileged accounts.
- Retrieve the complete inventory of active accounts from all identity providers, directory services, databases, cloud platforms, and critical applications as of the audit date.
- Extract authentication logs for the past 180 days covering all systems in scope to calculate last logon or activity timestamp for each account.
- Identify all accounts with last activity exceeding the organization's defined inactivity threshold and flag accounts associated with terminated personnel from HR records.
- Select a representative sample of at least 25 stale accounts across user, service, and privileged tiers and verify their current status (active, disabled, or deleted).
- Review approval records, change tickets, or workflow logs for sampled accounts to confirm timely deactivation occurred within the policy-specified grace period after flagging.
- Interview identity and access management personnel to confirm automated monitoring tools are configured to alert on dormant accounts and trigger review workflows.
- Test the deactivation process by simulating an account exceeding the inactivity threshold and verifying system-generated alerts and subsequent manual or automated remediation actions.
Where this control is tested