DS5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges are tasks that are appropriately addressed by user account management policies and procedures.
An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users.
Perform regular management review of all accounts and related privileges.
Illustrative Controls and the TIBCO LogLogic Solution
Demonstrate that procedures exist for the registration, change, and deletion of users from financial reporting systems and subsystems on a timely basis and confirm that the procedures are followed. Procedures must exist and be followed to ensure timely action relating to requesting, establishing, issuing, suspending, and closing user accounts.
To satisfy this control objective, administrators must ensure that permissions have been granted to the appropriate users. Permissions incorrectly assigned to users can indicate failure to meet this control objective. Also, Administrators must ensure that all network and application access requests are adequately documented and approved by appropriate Management personnel. As proof, Administrators can select a sample of terminated employees and to ensure the accounts for these employees have been terminated in a timely manner.
Administrators must ensure the policies on all servers and applications are set appropriately to ensure passwords are changed. Server and application logs must be reviewed to ensure passwords are changed periodically.
Monitor any account management activities such as user or group addition, deletion, and modification to ensure all user access privileges are appropriate and approved. Set up real-time alerts to detect any unauthorized or unapproved changes to users or groups.