Account Management
AC-2
Access Control
High Risk
Moderate
The organization manages information system accounts, including establishing, activating, modifying, disabling, and removing accounts.
Implementation Guidance
Implement automated account management processes where possible. Establish procedures for account creation, modification, and termination. Conduct regular account reviews.
HIPAA References
164.308(a)(3) - Information Access Management: Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the Security Rule.
Best Practices
Implement automated account provisioning, conduct quarterly account reviews, maintain account lifecycle documentation
Testing Procedures
Test account creation and modification processes, verify account review procedures, check for orphaned accounts
Frequently Asked Questions
Q: How often should user accounts be reviewed? A: At least quarterly, with immediate review when personnel changes occur.
Guideline Information
Guideline ID:
AC-2
AC-2
Category:
Access Control
Access Control
Subcategory:
Account Management
Account Management
Risk Level:
High
High
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
3-6 weeks
3-6 weeks
Views:
5
5