CCI-002142

When anyone who has access to the emergency administration account no longer requires access to it or leaves the organization, the password for the emergency administration account must be changed.

Shared/group account credentials must be terminated when members leave the group.

The network device must terminate shared/group account credentials when members leave the group.

Forescout must terminate the account of last resort password when members with access to the password leave the group.

The HYCU server must terminate shared/group account credentials when members leave the group.

The MQ Appliance network device must terminate shared/group account credentials when members leave the group.

The Mainframe Product must terminate shared/group account credentials when members leave the group.

Members of the SCOM Administrators Group must be reviewed to ensure access is still required.

Access to Prisma Cloud Compute must be managed based on user need and least privileged  using external identity providers for authentication and grouping to role-based assignments when possible.

Riverbed Optimization System (RiOS) must terminate local shared/group account credentials, such as the Admin account is used, when members who know the account password leave the group.

Riverbed Optimization System (RiOS) must disable the local Shark and Monitor accounts so they cannot be used as shared accounts by users.

The Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.

The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.

The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.

The password for the local account of last resort and the device password (if configured) must be changed when members who had access to the password leave the role and are no longer authorized access.

The Cisco ISE must change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access.

The container platform must terminate shared/group account credentials when members leave the group.

The Juniper EX switch must change credentials for account of last resort when administrators who know the credential leave the organization.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.

The F5 BIG-IP appliance must terminate shared/group account credentials when members leave the group.

MKE must be configured to integrate with an Enterprise Identity Provider.

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.