IA.L2-3.5.6—Identifier Handling
Level 2
800-171: 3.5.6
>Control Description
Disable identifiers after a defined period of inactivity.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for disabling inactive identifiers?
- •What period of inactivity triggers automatic account disablement?
- •How do you determine appropriate inactivity thresholds for different account types?
- •What is your process for re-enabling legitimately inactive accounts?
- •Who reviews lists of disabled accounts periodically?
Technical Implementation:
- •What automated processes disable inactive identifiers?
- •How do you detect and report on inactive accounts?
- •What tools automatically disable accounts after inactivity?
- •How are disabled accounts flagged in identity management systems?
- •What mechanisms re-enable accounts when needed?
Evidence & Documentation:
- •What authentication policy documentation can you provide?
- •What password policy settings and configurations can you show?
- •What MFA enrollment and usage reports demonstrate compliance?
- •What account management documentation shows account lifecycle?
- •What authentication logs demonstrate enforcement?
- •What screenshots show authentication configurations?
Ask AI
Configure your API key to use AI features.