User Account Management Review

C.

Organizations should have a process for (1) requesting, establishing, issuing, and closing user accounts; (2) tracking users and their respective access authorizations; and (3) managing these functions.

Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth.

These reviews can be conducted on at least two levels: (1) on an application-by-application basis, or (2) on a system wide basis.

The strength of user passwords is beyond the scope of a simple user account management review, since it requires specific tools to try and crack the password file/database through either a dictionary or brute-force attack in order to check the strength of passwords.

Reference(s) used for this question: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (page 28).

The periodic review of user account management is a critical process that ensures that user accounts are being managed correctly, and access is appropriately granted and revoked based on business requirements. The review process aims to identify any weaknesses, misconfigurations, or potential security threats associated with user accounts.

Out of the given options, the option that a periodic review of user account management should NOT determine is the strength of user-chosen passwords. This is because the strength of user-chosen passwords can be checked and enforced through other security mechanisms, such as password policies and requirements.

A periodic review of user account management should focus on the following aspects:

A. Conformity with the concept of least privilege: The concept of least privilege states that users should be granted only the necessary level of access to perform their job functions. A periodic review of user account management should ensure that access privileges are appropriately granted and revoked based on business requirements.

B. Whether active accounts are still being used: Inactive user accounts pose a security risk as they can be compromised by attackers. A periodic review of user account management should ensure that inactive accounts are disabled or deleted.

C. Whether management authorizations are up-to-date: User accounts with elevated privileges, such as administrative accounts, pose a higher security risk than standard user accounts. A periodic review of user account management should ensure that management authorizations are up-to-date and granted only to authorized personnel.

In conclusion, while the strength of user-chosen passwords is an essential aspect of security, it is not a determining factor in a periodic review of user account management. A periodic review of user account management should focus on the principles of least privilege, inactive account management, and up-to-date management authorizations.