Manage and maintain user accounts according to organizationally documented policies and procedures.

UCF ID: 00526
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain an identification, authentication, and access rights management plan. [UCF Control ID 00513]

There are no supporting controls.

Authority documents complied with:

CobiT, Version 4.1, DS5.4, DS5.5; The Standard of Good Practice for Information Security, SM4.4.5, CI4.5.3(e); OGC ITIL: Security Management, § 4.2

ITIL Guidance

[§ 4.2, OGC ITIL: Security Management]

General Guidance

The organization should ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
DS5.5 calls for the organization to ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. Access to the logging information is in line with business requirements in terms of access rights and retention requirements. [DS5.4, DS5.5, CobiT, Version 4.1]

The identity and access management policy should allow users the ability to validate and correct their own user information and set their own passwords. [SM4.4.5, CI4.5.3(e), The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of active computer accounts that have been reviewed for justification of current access privileges in accordance with policy. [UCF Control ID 02094]
    Report on the percentage of systems and applications where assignment of user and administration privileges is in compliance with the policy that specifies role-based information access privileges. [UCF Control ID 02096]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.