5.1 Identity Management
5.1 Identity Management
-
User Lifecycle Management:
-
a. Provision unique identifiers for all users and devices.
-
b. Deactivate user accounts after 1 year of inactivity.
-
c. Disable local administrator accounts after 90 days of inactivity.
-
d. Deactivate staging accounts (e.g.,
installadmin) after 7 days.
-
-
Local Administrator Password Rotation (LAPS) (Applies to Endpoints):
-
e. Rotate
dtcadminuser password at system boot, user login, and weekly intervals. -
f. Rotate built-in Administrator password at system boot, user login, and weekly intervals.
-
-
Password Policy:
-
h. Adhere to the default password policies established by each identity provider (e.g., Active Directory).
-
i. Collaborate with clients to develop customized password policies tailored to their specific security requirements and compliance obligations.
-
- Multi-factor Authentication (MFA) Protection
- j. All users accessing, where available per application, must have multi-factor authentication turned on.
- SMS is not recommended but can be used if only one available.
- One Time Passcodes from apps like Microsoft Authenticator are recommended.
- j. All users accessing, where available per application, must have multi-factor authentication turned on.
- Anomaly & Malicious Behavior Detection:
- k. Review and analyze audit and event logs in order to respond to security incidents.
- Unique Identity Assignment
-
l. All employees, devices, and applications must have unique identities within the client organization.
-
m. Shared, generic, or default accounts are strictly prohibited except in exceptional cases approved by the client decision maker.
-
n. Identity creation, modification, and deletion events must be logged and auditable.
-
Technical Controls:
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Provision unique identifiers for all users and devices. | DTC or Client Procured Identity Management Systems (e.g., Active Directory, Azure AD) |
| b | Deactivate user accounts after 1 year of inactivity. | NinjaOne RMM, Microsoft Windows PowerShell, Internet Access |
| c | Disable local administrator accounts after 90 days of inactivity. | NinjaOne RMM, Microsoft Windows PowerShell, Internet Access |
| d | Deactivate staging accounts (e.g., installadmin) after 7 days. |
NinjaOne RMM, Microsoft Windows PowerShell, Internet Access |
| e | Rotate dtcadmin user password at system boot, user login, and weekly. |
NinjaOne RMM, Microsoft Windows PowerShell, Internet Access |
| f | Rotate built-in Administrator password at system boot, user login, weekly. | NinjaOne RMM, Microsoft Windows PowerShell, Internet Access |
| h | Adhere to default password policies of identity providers. | Configuration of identity provider settings; Regular policy reviews |
| i | Develop customized password policies with clients. | Consultation sessions; Quarterly business reviews; Policy development frameworks |
| j. | All users accessing, where available per application, must have multi-factor authentication turned on. | Consultation sessions; Client application choice; DTC enabled for Entra ID & Google Workspace by default. |
| k. | Review and analyze audit and event logs in order to respond to security incidents. | SaaS Alerts, Blumira Free Edition |
| l. | All employees, devices, and applications must have unique identities within the client organization. | Entra ID, Google Workspace, Active Directory |
| m. | Shared, generic, or default accounts are strictly prohibited except in exceptional cases approved by the client decision maker. | SOP |
| n. | Identity creation, modification, and deletion events must be logged and auditable. | Entra ID, Google Workspace, Windows Event Log, Blumira Free, SaaS Alerts, Blackpoint |
Standard Operating Procedures
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Provision unique identifiers for all users and devices. | Client Employee On-boarding SOP |
| b | Deactivate user accounts after 1 year of inactivity. | SaaS Alerts On-boarding, NinjaRMM Agent Install |
| c | Disable local administrator accounts after 90 days of inactivity. | NinjaRMM Agent Install |
| d | Deactivate staging accounts (e.g., installadmin) after 7 days. |
NinjaRMM Agent Install |
| e | Rotate dtcadmin user password at system boot, user login, and weekly. |
NinjaRMM Agent Install |
| f | Rotate built-in Administrator password at system boot, user login, weekly. | NinjaRMM Agent Install |
| h | Adhere to default password policies of identity providers. | TC |
| i | Develop customized password policies with clients. | Consultation sessions; Policy development frameworks |
| j. | Review and analyze audit and event logs in order to respond to security incidents. | Security Incident Queue |
| k. | Review and analyze audit and event logs in order to respond to security incidents. | Security Incident Queue |
| l. | All employees, devices, and applications must have unique identities within the client organization. | Client Employee On-boarding SOP |
| m. | Shared, generic, or default accounts are strictly prohibited except in exceptional cases approved by the client decision maker. | Client Policy or Decision |
| n. | Identity creation, modification, and deletion events must be logged and auditable. | TC |