Identity Management
5.1 Identity Management
-
User Lifecycle Management:
-
a. Provision unique identifiers for all users and devices.
-
b. Deactivate user accounts after 1 year of inactivity.
-
c. Disable local administrator accounts after 90 days of inactivity.
-
d. Deactivate staging accounts (e.g.,
installadmin) after 7 days.
-
-
Local Administrator Password Rotation (LAPS):
-
e. Rotate
dtcadminuser password at system boot, user login, and weekly intervals. -
f. Rotate built-in Administrator password at system boot, user login, and weekly intervals.
-
-
g. Implement Multi-Factor Authentication (MFA) on critical systems where supported.
-
Password Policy:
-
h. Adhere to the default password policies established by each identity provider (e.g., Active Directory).
-
i. Collaborate with clients to develop customized password policies tailored to their specific security requirements and compliance obligations.
-
- Anomaly & Malicious Behavior Detection:
- j. Review and analyze audit and event logs in order to respond to security incidents.
Technical Controls:
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Provision unique identifiers for all users and devices. | Identity Management Systems (e.g., Active Directory, Azure AD) |
| b | Deactivate user accounts after 1 year of inactivity. | Automated scripts; Identity Management Systems |
| c | Disable local administrator accounts after 90 days of inactivity. | Group Policy Objects (GPO); Automated compliance tools |
| d | Deactivate staging accounts (e.g., installadmin) after 7 days. |
Automated account review processes; Identity Management Systems |
| e | Rotate dtcadmin user password at system boot, user login, and weekly. |
Local Administrator Password Solution (LAPS); Custom scripts |
| f | Rotate built-in Administrator password at system boot, user login, weekly. | LAPS; Custom scripts |
| g | Implement Multi-Factor Authentication (MFA) on critical systems. | MFA solutions (e.g., Microsoft Authenticator, Duo Security) |
| h | Adhere to default password policies of identity providers. | Configuration of identity provider settings; Regular policy reviews |
| i | Develop customized password policies with clients. | Consultation sessions; Policy development frameworks |