Addition, Deletion, and Modification of User IDs
PCI Requirement 8.1.2 states, “Control addition, deletion, and modification of user IDS, credentials, and other identifier objects.” To meet PCI Requirement 8.1.2, there must be a formal program of control and someone within your organization must be responsible for the addition, deletion, and modification of user IDS and other credentials. Think about all of the addition, deletion, and modification that has occurred within your organization in the last year: new hires, terminations, quitting, promotions, or a change in role. You must to ensure that the privileges that an individual has been assigned are the privileges that they actually need, but those privileges do not exceed what is required by their job. Additionally, if an individual is no longer at your organization, that account must be removed.
A test of control for PCI Requirement 8.1.2 is to sample privileged user IDs and general user IDs, review the privileges that they need, and review the privileges that they have been given. This helps assessors ensure that only privileges that are documented with approval have been given to individuals.
Somebody within your organization needs to be formally responsible for managing the addition, deletion, and modification of user accounts within your environment. People are going to be coming into your environment, people are going to be leaving, people are going to be terminated, people are going to be changing roles within your environment, and we want to make sure that the privileges that they’ve been assigned are indeed the privileges that they need. However, we want to make sure that these privileges do not exceed what is required for their job. Or, if the individual is no longer within the company, that those accounts have been formally removed. Specific to PCI Requirement 8.1.2, we’re going to look to make sure that you have a program in place for managing the addition, deletion, and modification of those user accounts.
Furthermore, as part of that addition, and deletion, and modification for PCI Requirement 8.1.2, we’re going to be asking for a list of individuals that have been hired over the last period of time and we’re going to be asking for two types of users: a general, everyday user and individuals who’ve been given some type of privileged account. We’re going to take that user request list (we talked about that back in PCI Requirement 7), and we’re going to look at the permissions for these individuals that have actually been authorized. We’re then going to go look at those systems and make sure that whatever privileges that have been assigned or approved, match those that have been assigned to those individuals.