0

How long should accounts be deactivated before being deleted? Should accounts be deactivated?

For example, our organization uses 1Password Business, which allows for accounts to be deactivated. How long should we keep deactivated accounts around? Accounts left deactivated for too long tend to clutter things.

If your organization is under compliance measures like PCI, SOC 2, etc., you may need to keep accounts deactivated for a given time (how long, not sure).

As a general rule, how long should accounts be deactivated before being deleted?

dr_pardee
  • 1
  • This might depend on which region you are in. Different countries have different rules. If an account is related to finance (ie book-keeping) it might have to stay around for longer or whatnot. – Fredrik Feb 08 '21 at 22:05
  • Just a reminder: deleting inactive users isn't a *"security"* measure - it doesn't improve security. It's a *"defense in depth"* measure. So from a security perspective, there is no value or virtue in deleting accounts. On the other hand, people who come up with with checklists on clipboards aren't looking at security - only what makes them *feel* good (also known as *theater*). If you are powerless to ignore their "suggestions"*, then the answer is do what they say, and delete them after the duration they say. – Ian Boyd Apr 11 '21 at 04:14

1 Answers1

1

From a compliance perspective the answer is usually: establish a policy that complies to your regulatory requirements and business needs and then ensure that your organisation actually follows that policy.

As long as your policy is not complete nonsense and provides good arguments the actual period can vary from "delete accounts immediately when they get deactivated" to "expired accounts are locked, clearly labeled and kept indefinitely" ...

Some systems have pricing tiers based on the number of registered accounts, rather than the number of active accounts and that might be a good reason to delete accounts as quickly as you can.

For things like file shares that store a file ownership in a SID or UID number it might be very useful to keep the deactivated account to maintain the mapping to more human readable username/account.

Bob
  • 5,805
  • 7
  • 25