AM-13 Access Management

Generic / Shared / Service Accounts

Non-personal accounts are inventoried, owned and controlled.

Domain: Access Management
Control type: Preventive/Detective
Automated / manual: Hybrid
Frequency: Annual + per event
Framework reference: COBIT DSS05.04; MAS TRM – Access

What good looks like

Generic/service accounts are inventoried with owner/justification; interactive login disabled; credentials vaulted.

Risk if it fails

Non-attributable activity; hardcoded/shared credentials.

How Tess tests it

4 tests — each concludes only on cited evidence.

Policy governs non-personal accounts

Design

Procedure: Inspect the service/generic-account policy.
Expected: Defined and approved.
Sample: 1 (design inspection)
Evidence: Account inventory, vault config, login settings.

Inventory complete with owner and justification

Operating

Procedure: Inspect the inventory.
Expected: Each account has owner and justification.
Sample: 1
Evidence: Account inventory, vault config, login settings.

Interactive login disabled where feasible

Operating

Procedure: Inspect account settings.
Expected: Disabled/restricted as appropriate.
Sample: 1
Evidence: Account inventory, vault config, login settings.

Credentials vaulted and rotated

Operating

Procedure: Inspect vault and rotation.
Expected: Not hardcoded; rotated per policy.
Sample: 1
Evidence: Account inventory, vault config, login settings.

Evidence Tess looks for

Account inventory, vault config, login settings.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-13 against your evidence?