IG2 IG3

Establish and Maintain an Inventory of Service Accounts

Control Group: 5. Account Management

Asset Type: Users

Security Function: Identify

Description

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

Tool Recommendations

SailPoint Identity Security Gartner MQ Leader, IGA 2024

Identity governance and administration platform with access certification, lifecycle management, and AI-driven access intelligence

SailPoint · Per-identity subscription

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Service Account Credential Abuse for Persistent Access

Confidentiality

Attackers discover and compromise untracked service accounts with static passwords and elevated privileges, using them for persistent, stealthy access that survives user password resets.

Orphaned Service Account Exploitation

Integrity

Service accounts created for decommissioned applications remain active with broad permissions, providing attackers with high-privilege access paths that no one monitors or reviews.

Vulnerabilities (When Safeguard Absent)

No Inventory of Service Accounts

Without a maintained service account inventory, the organization does not know how many service accounts exist, what they can access, or whether they are still needed.

Service Accounts Without Defined Ownership or Review

Without documented owners and recurring reviews, service accounts operate indefinitely without anyone verifying their authorization, access scope, or continued necessity.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Account and Credential Management Policy

Control 5, Control 6

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 5

5.1 Establish and Maintain an Inventory of Accounts

5.2 Use Unique Passwords

5.3 Disable Dormant Accounts

5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts

5.6 Centralize Account Management