5.1 Identity Management
5.1 Identity Management
-
User Lifecycle Management:
-
a. Provision unique identifiers for all users and devices.
-
b. Deactivate user accounts after 1 year of inactivity.
-
c. Disable local administrator accounts after 90 days of inactivity.
-
d. Deactivate staging accounts (e.g.,
installadmin) after 7 days.
-
-
Local Administrator Password Rotation (LAPS) (Applies to Endpoints):
-
e. Rotate
dtcadminuser password at system boot, user login, and weekly intervals. -
f. Rotate built-in Administrator password at system boot, user login, and weekly intervals.
-
-
Password Policy:
-
h. Adhere to the default password policies established by each identity provider (e.g., Active Directory).
-
i. Collaborate with clients to develop customized password policies tailored to their specific security requirements and compliance obligations.
-
- Multi-factor Authentication (MFA) Protection
- j. All users accessing, where available per application, must have multi-factor authentication turned on.
- SMS is not recommended but can be used if only one available.
- One Time Passcodes from apps like Microsoft Authenticator are recommended.
- j. All users accessing, where available per application, must have multi-factor authentication turned on.
- Anomaly & Malicious Behavior Detection:
- k. Review and analyze audit and event logs in order to respond to security incidents.
-
Incident Response Integration:
-
l. Deploy light SIEM integration into identity environments.
-
m. Ensure continuous monitoring and analysis of identity activities to detect and respond to potential threats.
-
n. Facilitate collaboration between SIEM solutions and DTC to coordinate incident response and remediation efforts.
-
- Unique Identity Assignment
-
o. All employees, devices, and applications must have unique identities within the client organization.
-
p. Shared, generic, or default accounts are strictly prohibited except in
exceptionalcases approved by the client decision maker. -
q. Identity creation, modification, and deletion events must be logged and auditable.
-
Technical Controls:
| Control ID | Description | Tools/Methods |
|---|---|---|
| a | Provision unique identifiers for all users and devices. | DTC or Client Procured Identity Management Systems (e.g., Active Directory, Azure AD) |
| b | Deactivate user accounts after 1 year of inactivity. | NinjaOne RMM, Microsoft Windows PowerShell, |
| c | Disable local administrator accounts after 90 days of inactivity. | NinjaOne RMM, Microsoft Windows |
| d | Deactivate staging accounts (e.g., installadmin) after 7 days. |
NinjaOne RMM, Microsoft Windows |
| e | Rotate dtcadmin user password at system boot, user login, and weekly. |
NinjaOne RMM, Microsoft Windows |
| f | Rotate built-in Administrator password at system boot, user login, weekly. | NinjaOne RMM, Microsoft Windows |
| h | Adhere to default password policies of identity providers. | Configuration of identity provider |
| i | Develop customized password policies with clients. | Consultation |
| j. | All users accessing, where available per application, must have multi-factor authentication turned on. | Consultation |
| k. | Review and analyze audit and event logs in order to respond to security incidents. | SaaS Alerts, Blumira Free Edition |
| l. | All employees, devices, and applications must have unique identities within the client organization. | Entra ID, Google Workspace, Active Directory |
| m. | Shared, generic, or default accounts are strictly prohibited except in |
SOP |
| n. | Identity creation, modification, and deletion events must be logged and auditable. | Entra ID, Google Workspace, Windows Event Log, Blumira Free, SaaS Alerts, Blackpoint |