No shared / personal email used for account recovery
Demonstrate that no organizational accounts use shared mailboxes or personal email addresses as account recovery mechanisms, and that all recovery paths are governed by corporate identity and access management controls.
Description
What this control does
This control prohibits the use of shared mailboxes or personal email addresses (e.g., Gmail, Yahoo, Outlook.com) as recovery mechanisms for privileged, service, or corporate user accounts. Instead, recovery options must leverage corporate-controlled email infrastructure, hardware tokens, or authenticated administrative workflows. Shared or personal email accounts introduce unmonitored access paths, lack audit trails, and persist beyond employment termination, allowing unauthorized password resets or account takeovers by former employees or external attackers who compromise personal inboxes.
Control objective
What auditing this proves
Demonstrate that no organizational accounts use shared mailboxes or personal email addresses as account recovery mechanisms, and that all recovery paths are governed by corporate identity and access management controls.
Associated risks
Risks this control addresses
- Former employees retain access to personal email accounts configured for recovery, enabling unauthorized password resets after termination
- Shared mailbox credentials become widely known over time, allowing any current or former user with knowledge to perform account recovery
- Personal email accounts lack multi-factor authentication enforcement and monitoring aligned with organizational security policies
- Compromise of a personal email account (phishing, credential stuffing) grants attackers password reset capability for corporate accounts
- Absence of audit logs for personal email access prevents detection of unauthorized recovery attempts or insider threats
- Shared recovery email addresses obscure individual accountability, making forensic investigation of account takeover incidents impossible
- Personal email providers may respond to social engineering or legal process without organizational knowledge, exposing recovery mechanisms to third parties
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all user accounts from identity providers (Active Directory, Azure AD, Okta, Google Workspace, etc.) including privileged, service, and standard user accounts.
- Extract account recovery configuration data for each account via API queries, directory exports, or administrative console reports showing configured recovery email addresses and secondary contact methods.
- Identify all recovery email addresses that do not match organizational domain patterns or known corporate email infrastructure.
- Review identity governance policies and provisioning workflows to confirm whether restrictions exist preventing personal or shared email entry during account creation or recovery setup.
- Select a sample of at least 25 accounts across privilege tiers and manually verify recovery settings through administrative interfaces or user self-service portals.
- Interview identity and access management personnel to understand processes for validating recovery email addresses during onboarding and periodic recertification.
- Examine change audit logs for the past 12 months to identify instances where recovery email addresses were modified to personal or shared addresses, and verify remediation actions.
- Test account recovery workflows for sample accounts by simulating password reset requests and confirming that recovery communications route exclusively to corporate-controlled channels.
Where this control is tested