IAM.1.07_shared_account_restrictions.html.md 3.2 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "IAM.1.07 - Shared Account Restrictions Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12 13 14 15 16 17 18 19 20

# IAM.1.07 - Shared Account Restrictions

## Control Statement
Where applicable, the use of generic and shared accounts to administer systems or perform critical functions is prohibited; generic user IDs are disabled or removed.

## Context
Use of shared or generic accounts limits the ability to ensure authenticity and integrity.  Someone outside the organization could exploit this and their actions could not be easily traced.

## Scope
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
This control applies to all systems within our production environment that are in-scope for PCI compliance.

* The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
* in-scope for PCI compliance are systems that process or support the processing of credit card data, additionally any system that is connected-to to those systems that process or support the processing of credit card data.

```mermaid
graph TB

  SubGraph2Flow
  subgraph "Out-of-Scope B"
  SubGraph2Flow(System D)
  end

  SubGraph1Flow
  subgraph "Out-of-Scope A"
  SubGraph1Flow(System C)
  end

  subgraph "In-Scope for PCI"
  Node1[Payment Processing System] --> Node2[Connected-To System A]
  Node1[Payment Processing System] --> Node3[Connected-To System B]
  Node2 --> SubGraph1Flow(System C)
  Node3 --> SubGraph2Flow(System D)
end
```

47
## Ownership
Luka Trbojevic's avatar
Luka Trbojevic committed
48
* Control Owner: `IT Ops`
49
* Process owner(s): `IT Ops`
50

51
## Guidance
52
Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used.  If unavoidable, compensating controls should be utilized to add accountability.
53

54
## Additional control information and project tracking
Jeff Burrows's avatar
Jeff Burrows committed
55
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Account Restrictions control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/811).
56

Luka Trbojevic's avatar
Luka Trbojevic committed
57 58 59 60 61
Examples of evidence an auditor might request to satisfy this control:
* Link to the handbook entry on shared accounts and their restrictions
* List of systems and services where shared accounts are restricted
* User export of those systems and services

Luka Trbojevic's avatar
Luka Trbojevic committed
62
### Policy Reference
63

Lis Vinueza's avatar
Lis Vinueza committed
64
- [Shared Account Access Request](/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/#shared-account-access-request)
emilie's avatar
emilie committed
65 66
- [Access Control Policy and Procedures](/handbook/engineering/security/#access-control-policy-and-procedures)
- [Okta documentation on shared accounts](/handbook/business-ops/okta/#i-have-an-application-that-uses-a-shared-password-for-my-team-can-i-move-this-to-okta)
Lis Vinueza's avatar
Lis Vinueza committed
67 68
- [New Shared Account Access Request](/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/#shared-account-access-request)
- [Shared Account Access Request Handbook page](/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/)
Luka Trbojevic's avatar
Luka Trbojevic committed
69

70 71 72
## Framework Mapping
* PCI
  * 8.5