6. User Management
A formal user registration and de-registration procedure should be implemented for granting and revoking access to all information systems and services. Procedures should exist to ensure the allocation of privileges is restricted and controlled. Users' access rights should be regularly reviewed and procedures should be established for all information systems to ensure that users' access rights are adjusted appropriately, and in a timely manner, whenever there is a change in operational need, role change or a user leaves the unit. Systems should be audited for unwanted/redundant accounts and when users leave access should be revoked and the user de-registered.
Users should be made aware of their own responsibilities for information security. All users should have a unique identifier (user ID) for their personal and sole use for access to the unit's information services. The user ID should not be used by anyone else and associated passwords should not be shared with any other person for any reason. Allocation of passwords should be controlled through a formal management process and users are required to follow good security practices in the selection and use of passwords. Users should be advised to take appropriate steps (such as screen-locking, clearing desks) to prevent unauthorised access to machines, accounts and private information.
- Authentication and Authorisation
- Registration and De-registration
- Passwords and Unauthorised Access
- Visitor Accounts