User accounts must be authorised by management before being created. No account should be created without knowing who it is for and what level of access is required.
When basic user accounts are created they should have the minimum level of access to applications, computers and networks.
All individual accounts should have their level of access reviewed periodically. The details of all account rights and privileges should be documented and stored in a secure place.
All accounts should have a unique ID (Usernames) and the user should create a strong password. Our strong password guide can be found
here.
Users should be prompted to change their passwords on a regular basis. This should be no less than once every 60 days.
All administrative accounts should only be able to perform administrative activities, they should not be used for accessing the internet or viewing E-Mails, this will prevent any malicious attacks from outside sources.
A process should be in place for removing/disabling accounts when a staff member leaves.