Which action is required for inactive user accounts older than 90 days?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

Which action is required for inactive user accounts older than 90 days?

Explanation:
Dormant user accounts pose a risk, so PCI DSS requires removing or disabling accounts that have been inactive for 90 days. Keeping inactive accounts enabled preserves access that could be misused if credentials are discovered or leaked, increasing the attack surface. Disabling or removing such accounts keeps the access environment current and aligned with the principle of least privilege. Archiving inactive accounts after 90 days isn’t the same as disabling them and can still allow access or complicate reactivation and auditing, so it isn’t the mandated action. Notifying users before deactivating isn’t a requirement of this control, which focuses on timely removal or disabling to reduce risk. Requiring a password change after deactivation doesn’t apply because the account is no longer active; password changes matter for active accounts to mitigate credential compromise, not for accounts that have been disabled.

Dormant user accounts pose a risk, so PCI DSS requires removing or disabling accounts that have been inactive for 90 days. Keeping inactive accounts enabled preserves access that could be misused if credentials are discovered or leaked, increasing the attack surface. Disabling or removing such accounts keeps the access environment current and aligned with the principle of least privilege.

Archiving inactive accounts after 90 days isn’t the same as disabling them and can still allow access or complicate reactivation and auditing, so it isn’t the mandated action. Notifying users before deactivating isn’t a requirement of this control, which focuses on timely removal or disabling to reduce risk. Requiring a password change after deactivation doesn’t apply because the account is no longer active; password changes matter for active accounts to mitigate credential compromise, not for accounts that have been disabled.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy