Diff: FAQ #1066
Can you define "Inactive User" as used in PCI DSS requirement 8.5.5?
Earlier Version
Later Version
Removed
Added
An inactive user account is one that has not been used in over 90 days. Inactive accounts are often targets for attackers since they are generally not monitored, and changes to the accounts (such as a changed password) could easily go unnoticed.
Removing or disabling inactive accounts reduces the risk that they will be used to gain unauthorized access to the environment.
(Note:Note: PCIThe DSSspecific Requirementsub numbersrequirement refernumber(s) toand PCIterminology DSSmay vary depending on the version 3)of the standard being used.
Removing or disabling inactive accounts reduces the risk that they will be used to gain unauthorized access to the environment.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.