Disable Dormant Accounts
Description
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Implementation Checklist
Tool Recommendations
Identity governance and administration platform with access certification, lifecycle management, and AI-driven access intelligence
SailPoint · Per-identity subscription
Cloud identity and access management with SSO, MFA, conditional access, and identity governance
Microsoft · Per-user subscription (P1/P2)
Privileged access management platform for securing, managing, and auditing privileged credentials and sessions
CyberArk · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Dormant Account Takeover by External Attackers
ConfidentialityAttackers compromise dormant accounts through credential stuffing or phishing, using them for persistent access since inactive accounts are rarely monitored for suspicious activity.
Former Contractor Access via Inactive Account
ConfidentialityA former contractor's account remains active and unmonitored for months after contract end, providing an entry point if the contractor turns hostile or their credentials are leaked.
Vulnerabilities (When Safeguard Absent)
Dormant Accounts Remain Active Indefinitely
Without automatic disabling after 45 days of inactivity, dormant accounts from departed users, completed projects, or seasonal workers persist as latent access vectors.
No Automated Inactivity Detection for Accounts
Without automated monitoring of account login activity, the organization cannot identify which accounts are dormant and should be disabled or reviewed.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Document | Response procedure/playbook documentation | Reviewed bi-annually |
| Record | Response action logs showing procedure execution | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |