Are User Ids for the application or system uniquely attributable to individuals when accountability is required?

Summary

This security requirement question is pretty straight forward: Does everyone who has access to a system or application have their own ID and is that the only way to access a system.

Policy

Unique User IDs​ - Each user must be assigned their own unique user ID. This user ID follows an individual as they move through the organization. It must be permanently decommissioned when a user leaves $company_name. Re-use of user IDs is not permitted. Every $company_name user ID and related password is intended for the exclusive use of a specific individual. While user IDs can be shared in electronic mail messages and in other places, passwords must never be shared with anyone. Information systems technicians have all the privileges they need to do their job, and must never obtain a user’s password. User IDs are linked to specific people, and are not associated with computer terminals, departments, or job titles. With the exception of Internet pages, intranet pages, and other places where anonymous interaction is both generally understood and expected, anonymous and guest user IDs are not permitted unless approved in advance by the Information Technology Department.

Controls

Audit

References

1. As usual, the policy example was listed right from the SANS Institute.  I've said it before and I'm sure I'll say it again: SANS Institute has some of the best starter security policy templates I've found. Perusing their list of policies can also inspire you to craft policies for things you hadn't even thought of. If it's not written down, it doesn't exist.