How long should accounts be deactivated before being deleted?

security user-accounts audit compliance

Solution 1:

From a compliance perspective the answer is usually: establish a policy that complies to your regulatory requirements and business needs and then ensure that your organisation actually follows that policy.

As long as your policy is not complete nonsense and provides good arguments the actual period can vary from "delete accounts immediately when they get deactivated" to "expired accounts are locked, clearly labeled and kept indefinitely" ...

Some systems have pricing tiers based on the number of registered accounts, rather than the number of active accounts and that might be a good reason to delete accounts as quickly as you can.

For things like file shares that store a file ownership in a SID or UID number it might be very useful to keep the deactivated account to maintain the mapping to more human readable username/account.

Related

Getting Nginx to serve to two websites (mapped to two external IP addresses)
MariaDB memory spikes and crash
csf: how to override TCP_IN?
How to combine squid reverse proxy with nginx proxy for shiny-server
Openldap - slap_access_allowed: auth access denied by =0 - Not able to authenticate user
MariaDB galera cluster, add node without interruption
Android app is published, but not visible anywhere in Google Play
How to split a video using FFMPEG so that each chunk starts with a key frame?
How to set the border of UITextView to same as border color of UITextField
android: dynamically change FAB(Floating Action Button) icon from code
Efficient way to OR adjacent bits in 64-bit integer
How do I hide related videos at the end of a YouTube playlist embed code?