APP019: Account Inactivity
Does the application have a process to disable inactive accounts after a period of time not exceeding 100 calendar days? (Functional IDs and customer login IDs are exempt).
Guidance: To comply with the CISS, user IDs must be disabled after a stated period of inactivity, except for customer-facing applications. The period should be commensurate with the criticality of the application. Such a requirement can be satisfied if the application can automatically disable inactive user accounts or if a documented process is implemented. (Functional IDs and Customer login IDs are exempt from this requirement). Disabled logins may be re-enabled by the user or another authorized function
No automatic or documented process to disable inactive users after a predefined period of time.