We have 2000 odd accounts (of OS, applications, network devices that are created locally
as we don't use central authentication like TACACS/Radius currently) that become "Inactive"
(& 'locked') after 90-days as users don't always login.
Our governance chap insist that we must raise SR every month to 'reactivate' (or re-enable
back) those Inactive accounts that are still needed rather than leave them as 'Inactive'.
My view is it's best to leave them as 'Inactive' because reactivating an account that is not
being used will subject it to being misused or subject to 'brute force' attempts to break in
but governance chap pointed out that it's a corporate policy & escalated, demanding that
it's either deleted or reactivated.
So what is the best security policy? I determine if an account is still needed by emailing
the individual users (& their management) & for those still needed, leave them as 'Inactive'
till the user raise an SR to reactivate as & when they need to use the account again
Any authoritative document/link/sites to support the best practice will be much appreciated?
Eg: CIS, CISA, ......