Gitlab hero border pattern left svg Gitlab hero border pattern right svg

IAM.1.07 - Shared Account Restrictions Control Guidance

IAM.1.07 - Shared Account Restrictions

Control Statement

Where applicable, the use of generic and shared accounts to administer systems or perform critical functions is prohibited; generic user IDs are disabled or removed.

Context

Use of shared or generic accounts limits the ability to ensure authenticity and integrity. Someone outside the organization could exploit this and their actions could not be easily traced.

Scope

This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.

Ownership

Guidance

Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used. If unavoidable, compensating controls should be utilized to add accountability.

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Shared Account Restrictions control issue.

Examples of evidence an auditor might request to satisfy this control:

Policy Reference

Framework Mapping