STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The ISSO must ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.

DISA Rule

SV-222619r508029_rule

Vulnerability Number

V-222619

Group Title

SRG-APP-000516

Rule Version

APSC-DV-002880

Severity

CAT II

CCI(s)

• CCI-002121 - The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Establish an account management process.

Check Contents

Interview the application representative to verify that a documented process exists for user and system account creation, termination, and expiration.

Obtain a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days).

If a documented account management process does not exist or unauthorized users have active accounts, this is a finding.

Vulnerability Number

V-222619

Documentable

False

Rule Version

APSC-DV-002880

Severity Override Guidance

Interview the application representative to verify that a documented process exists for user and system account creation, termination, and expiration.

Obtain a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days).

If a documented account management process does not exist or unauthorized users have active accounts, this is a finding.

Check Content Reference

M

Target Key

4093

Comments