Introduction
This User Management policy is a sub-policy of the Information Security policy and the Starters, Movers and Leavers policy and sets out the requirements for the effective management of user accounts and access rights. This management is essential to ensure that access to Bitz ‘n’ PC’z Ltd’s data and information systems is restricted to authorised users.
Scope
This policy applies to all employees and sub-contractors of Bitz ‘n’ PC’z Ltd.
Authorisation to Manage
The management of user accounts and privileges is restricted to suitably trained and authorised members of staff.
Account and Privilege Management
Accounts will only be issued to individual users that are eligible for an account and whose identity has been verified.
When an account is created, a unique username will be assigned to the individual user for their individual use. This username may not be assigned to any other person at any time.
On issue of account credentials, users must be informed of the requirement to comply with Bitz ‘n’ PC’z Ltd’s Information Security policies.
Access rights granted to users will be restricted to the minimum required in order for them to fulfil their roles.
Procedures shall be established for all information systems to ensure that users’ access rights are adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (for example when a member of staff changes their role or a member of staff leaves).
Administrator/Special Access
Privileged or administrative accounts are accounts used for the administration of information systems and are distinct from user accounts. These accounts must only be used by system administrators when undertaking specific tasks that require special privileges.
In the case where a system has only one administrator, a breakglass procedure exists so that someone other than the administrator can gain access to the administrator account in an emergency situation.
System administrators must use their standard user account at all other times.
Periodic audits of privileged accounts must be conducted in addition to the regular maintenance of accounts (and not only when members join, move or leave).
User Onboarding
As part of the account provisioning process, the user may need to be informed of an initial, temporary password. This password must be communicated to the user in a secure way and must be changed by the user immediately. This change should be enforced automatically wherever possible.
All employees and sub-contractors must sign the Information Security Policy Acknowledgement before access is granted to an account or information resource.
Account Closure and Removal of Access
When leaving employment, access to Bitz ‘n’ PC’z Ltd’s systems will terminate on the employment end date.
Multi-Factor Authentication
Users may be asked to present additional evidence as well as their password to authenticate themselves to Bitz ‘n’ PC’z Ltd’s systems. This is referred to as Multi-Factor Authentication (MFA).
Additional evidence requested would likely be in the form of either a one-time code sent to a phone or authenticator app or a hardware token.
Information given to the Bitz ‘n’ PC’z Ltd for MFA will be stored securely and only used for authentication purposes.
All user accounts, including administrative or highly privileged accounts, must have Multi-Factor Authentication enabled where available.