Where applicable, the use of generic and shared accounts to administer systems or perform critical functions is prohibited; generic user IDs are disabled or removed.
Use of shared or generic accounts limits the ability to ensure authenticity and integrity. Someone outside the organization could exploit this and their actions could not be easily traced.
This control applies to all systems within our production environment that are in-scope for PCI compliance.
The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
in-scope for PCI compliance are systems that process or support the processing of credit card data, additionally any system that is connected-to to those systems that process or support the processing of credit card data.
subgraph "Out-of-Scope B"
subgraph "Out-of-Scope A"
subgraph "In-Scope for PCI"
Node1[Payment Processing System] --> Node2[Connected-To System A]
Node1[Payment Processing System] --> Node3[Connected-To System B]
Node2 --> SubGraph1Flow(System C)
Node3 --> SubGraph2Flow(System D)
Control Owner: IT Ops
Process owner(s): IT Ops
Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used. If unavoidable, compensating controls should be utilized to add accountability.
Additional control information and project tracking