8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:

Defined Approach Requirements

8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:

• Authorized with the appropriate approval.
• Implemented with only the privileges specified on the documented approval.

Customized Approach Objective

Lifecycle events for user IDs and authentication factors cannot occur without appropriate authorization.

Applicability Notes

This requirement applies to all user accounts, including employees, contractors, consultants, temporary workers, and third-party vendors.

Defined Approach Testing Procedures

8.2.4 Examine documented authorizations across various phases of the account lifecycle (additions, modifications, and deletions) and examine system settings to verify the activity has been managed in accordance with all elements specified in this requirement.

Purpose

It is imperative that the lifecycle of a user ID (additions, deletions, and modifications) is controlled so that only authorized accounts can perform functions, actions are auditable, and privileges are limited to only what is required.

Attackers often compromise an existing account and then escalate the privileges of that account to perform unauthorized acts, or they may create new IDs to continue their activity in the background. It is essential to detect and respond when user IDs are created or changed outside the normal change process or without corresponding authorization.