AC-2(3) Disable Inactive Accounts

[srtalbot]

Security Story

Story context From security assessor:

CDS should investigate if an access control feature could be implemented which would automatically disable accounts if they haven’t been used within an organizationally defined period of time.

There are three kinds of accounts we should consider:

• Client accounts
• CDS super admin accounts

Acceptance criteria

• [ ] Determine which account types should be automatically disabled
• [ ] Determine period of time for accounts
• [ ] Identify how clients can reactivate their account
• [ ] Write development tasking card
• [ ] risk register, SA&A, and SRTM are updated to reflect new risks and their treatments. Treatments are implemented or a new card is created.

[srtalbot]

High effort implementation from a technical and service design perspective.