09) Does your organisation have a documented process for the provisioning and removal of user accounts for all of your IT services that includes a secure logon with unique user IDs?
IT Operations Secure Logon Joiner/Mover/Leaver
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation requires all users to have a secure and unique logon to access corporate endpoints, networks, and third party services, and if these logons are provisioned securely and with line manager authorisation. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.

Your users need to be provisioned their access to your organisations IT systems in a secure manner. Each user must have a unique user ID (username) and password.

When provisioning access to users the level of access given should be the minimum required for the user to perform their job role and should only be provisioned with line manager approval.

User provisioning is generally done via the use of a controlled and auditable central user management system to grant, modify, and terminate access, such as an Active Directory.

How to implement the control:

Your IT team must ensure that the process used to provision access to new employees is robust and secure. A review by an external security consultant can help here.

All users must be provisioned with unique user IDs and passwords. If temporary passwords are issued to users when they first log in, the systems must enforce a password change.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.