Use a centralised tool to manage accounts, access rights and privileges

De-activated or expired user IDs should never be re-used for other users.

This is relevant as a general administration principle for self-developed cloud services and all other utilized data systems, where other maintenance may be provided by a partner organization, but access / user ID management by the organization itself.

To protect from e.g brute force attacks the organisation must use at least one of the following practices:

• Account is locked after 10 failed login attempts
• Limit for login attempts in 5 minutes is 10

In addition the following password practices should be in place:

• Minimum length of a password should be at least 8
• Passwords don’t have maximum length
• Password is changed when it’s integrity is suspected or known to be compromised

Use a centralized tool to check password quality against the organisation’s security requirements. As a minimum, it should be avoided using common words and names in employees' native language and English as well as years and seasons.

Document the identity life cycle management processes. Documentation should include the following things:

• The process of creating an identity
• How identities are maintained
• The process of deactivating an identity

The organization maintains a centralized record of the access rights granted to each user ID to data systems and services. This recording is used to review access rights at times of employment change or in the onboarding process of new colleagues joining the same role.

To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:

• User registration and deletion
• Allocation of access rights
• Reassessment of access rights
• Deleting or changing access rights

The implementation of these things must always take place through a defined, formal process.