Control 3.3.2

★What This Means in Plain English

Every action in your systems must be traceable to a specific individual. Shared accounts and generic logins make this impossible. Each person must have a unique account so that audit logs can show exactly who did what.

✓How Petronella Implements This Control

Petronella Technology Group implements this control through:

• Unique Microsoft Entra ID accounts for every individual with no shared accounts permitted
• Service accounts documented and linked to responsible individuals in ComplianceArmor
• Arctic Wolf SIEM correlating user identities across all systems for end-to-end traceability
• Active Directory audit policy logging user actions with individual account attribution
• Privileged access sessions recorded with individual user identification via PAM solutions

🔎Assessment Guidance

Assessors will verify that every user has a unique account, check that shared accounts are eliminated or have compensating controls, review audit logs for individual user attribution, and test that service accounts are documented and assigned to accountable individuals.

⚠Common Implementation Gaps

• Shared admin accounts (e.g., 'Administrator' used by multiple people)
• Generic service accounts with no assigned owner
• Multiple people sharing a single login credential
• Audit logs that do not identify the individual performing actions
• Guest accounts used without individual accountability

⇄Cross-Framework Mapping