Unprivileged access to systems and applications is disabled after 45 days of inactivity.
Topic
Suspension of access to systems
Applicable to
all
History
Priority
should
Dec 2023
Unprivileged access to systems and applications is disabled after 45 days of inactivity.
Existing controls relating to automatically disabling access to systems, applications and data repositories after 45 days of inactivity were amended to remove the requirement that it occur automatically, noting that in some cases supporting governance mechanisms may be required to assist in identifying when accounts have not been used within the last 45 days. [ISM-1404, ISM-1647, ISM-1648, ISM-1716]
Dec 2021
Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity.
The recommendation to disable or remove access to systems, applications and data repositories for unprivileged users after one month of inactivity has been amended to 45 days to align with the recommendation for privileged users within the Essential Eight Maturity Model.
Sep 2019
Access to systems, applications and data repositories is removed or suspended after one month of inactivity.
Security controls 0430 and 1404 were modified to replace references to ‘information’ with ‘data repositories’ in order to align with language used by the Essential Eight mitigation strategies.
Aug 2019
Access to systems, applications and information is removed or suspended after one month of inactivity.
2015
Agencies should remove or suspend accounts after one month of inactivity.