AC-2(10) — Shared and Group Account Credential Change

When someone leaves a group that shares an account, the password for that shared account must change. Otherwise, the departed person still knows the credentials and could use them.

Example 1: Use CyberArk or a similar PAM tool to manage shared account credentials. Configure automatic password rotation that triggers whenever a member is removed from the account's access group. The new password is vaulted and only available to remaining authorized users.

Example 2: For less formal setups, create an SOP that requires the IT team to change the password on any shared account within 24 hours of a group member's departure. Track this in your ticketing system (ServiceNow, Jira) and have the ISSO verify completion during monthly reviews.