Standards Group:
YALE-MSS-9: Authentication and Authorization
YALE-MSS-9.4: Deprovision accounts and access when roles and responsibilities change
Low Risk Endpoint
Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
Deprovisioning is the process of revoking an account's access rights, disabling accounts, and removing credentials for systems and data.
Ensure accounts are deprovisioned to reflect necessary access when an individual's role or responsibilities change or a user is terminated.
Perform a review of accounts at least annually.
For service accounts, credentials must be rotated immediately after any authorized individal no longer needs access to the account.
For systems with the PCI external obligation:
- access for terminated users is immediately revoked
- inactive user accounts must be disabled within 90 days