An account suspension is triggered after 30 days of inactivity. A warning is sent 7 days prior and on the day of suspension.
This is in accordance to the Security Control 1404 of the Australian Government Information Security Manual (ISM) from the Australian Cyber Security Centre (ACSC).
Security Control: 1404; Revision: 2; Updated: Sep-19; Applicability: O, P, S, TS Access to systems, applications and data repositories is removed or suspended after one month of inactivity.
This is also a requirement of control A.9.2.6, from the ISO 27001 standard.
ISO 27001: 9.2.6 Removal or adjustment of access rights The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Accounts in the off-boarding processes are closely monitored and suspended as soon as a business purpose is no longer served. Accounts are deactivated during the off-boarding process and marked for removal at the conclusion of the off-boarding process. These accounts will be purged from the system automatically 30 days after removal.
In the future, our authentication system will generate a message and send it to the IT Workstream when an account has been inactive for more than 23 days. The authentication system will also generate a notification directly to the affected user's Slack account in order to prevent an accidental lockout.
These features are planned to be rolled out in Q3, 2021.