What must be done with development, test, and custom application accounts before activation?

• A. Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or released to customers.
• B. Retain development accounts for auditing purposes.
• C. Rename accounts to anonymize credentials after release.
• D. Keep test accounts active for post-release.

Answer: (A)

Before production activation, all development, test, and custom application accounts (and their user IDs and passwords) must be removed or disabled. This minimizes the risk of backdoors or weak credentials entering the live environment and ensures that access in production is limited to production-approved accounts with properly controlled privileges. Keeping these accounts or their credentials active—even if renamed—can introduce opportunities for unauthorized access and complicate auditing and change management. If testing is still needed, use separate, controlled test environments and disable or remove those accounts before going live. This practice aligns with reducing attack surfaces and enforcing proper account lifecycle management.