APP019: Account Inactivity

Does the application have a process to disable inactive accounts after a period of time not exceeding 100 calendar days? (Functional IDs and customer login IDs are exempt).

Guidance: To comply with the CISS, user IDs must be disabled after a stated period of inactivity, except for customer-facing applications. The period should be commensurate with the criticality of the application. Such a requirement can be satisfied if the application can automatically disable inactive user accounts or if a documented process is implemented. (Functional IDs and Customer login IDs are exempt from this requirement). Disabled logins may be re-enabled by the user or another authorized function

No automatic or documented process to disable inactive users after a predefined period of time.

  • MD

    QuickView has a Maximum Inactivity policy. Select Configuration > Security > Policies:

    If a user has not logged in in the last 90 days the status changes automatically to inactive, as seen here:

    If an inactive user tries to logon it will see the following alert:

    Additional References; Security Policies

Please Sign In to submit new tickets or to reply to existing ones.

Ticket ID



January 21, 2021 05:54 PM