We have an internal application, whereby users are required to reset their passwords every 90 days. The application has its own security & accounts, and does not integrate with our AD domain in any way. The system itself stores fairly personal client records. If a user does not access the application in a period of time, the administrators do not seem very effective in disabling the users account which is what should happen (they are expected to manually review all active accounts every 8 weeks and disable any stale accounts, and query them with their line manager to determine if access is still appropriate or not), this what should happen – but a recent audit has identified this does not appear to be the case or working effectively.
The application itself does not work in the same way as say Active Directory, as if a users password has expired (every 90 days is the current setting), the application does not simply prompt them to set a new password and then access can be achieved again, the administrator would have to reset the users password before access could be achieved. The admins are of the view that this is sufficient, e.g. if they have a list of 10 accounts who have not logged into the system in over 365 days, it doesn't really matter that they haven't disabled their accounts, as they cannot gain access to the data as their passwords will have expired. I am not overly comfortable with this approach, but I am struggling to find any real reasoning to counter their seemingly lax approach to access control. Can you think of any additional issues that would help build a case. There may be other reasons above and beyond data security why the current approach is bad practice that will also help build an argument.