The system must allow superusers or system administrators to disable user accounts.
CIS Controls. 16.7 Establish Process for Revoking Access. Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor.
HIPAA Security Rules 164.308(a)(3)(ii)(A): Authorization and/or supervision (Addressable): Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health informationisable Dormant Accounts or in locations where it might be accessed.
ISO 27001:2013. Annex A - 9.2.1 Implement a formal process for user registration and deletion in order to enable access rights assignation.
ISO 27001:2013. Annex A - 9.2.2 Implement a formal access granting process to assign or revoke access rights to all types of users to systems and services.
NERC CIP-004-6. B. Requirements and measures. R5 Each Responsible Entity shall implement one or more documented access revocation program(s).
PCI DSS v3.2.1 - Requirement 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.