Skip to main content

5.1 Identity Management

5.1 Identity Management

  • User Lifecycle Management:

    • a. Provision unique identifiers for all users and devices.

    • b. Deactivate user accounts after 1 year of inactivity.

    • c. Disable local administrator accounts after 90 days of inactivity.

    • d. Deactivate staging accounts (e.g., installadmin) after 7 days.

  • Local Administrator Password Rotation (LAPS) (Applies to Endpoints):

    • e. Rotate dtcadmin user password at system boot, user login, and weekly intervals.

    • f. Rotate built-in Administrator password at system boot, user login, and weekly intervals.

g. Implement Multi-Factor Authentication (MFA) on critical systems where supported.

Password Policy:

  • h. Adhere to the default password policies established by each identity provider (e.g., Active Directory).

  • i. Collaborate with clients to develop customized password policies tailored to their specific security requirements and compliance obligations.

Multi-factor Authentication (MFA) Protection
  • j. All users accessing, where available per application, must have multi-factor authentication turned on.
    • SMS is not recommended but can be used if only one available.
    • One Time Passcodes from apps like Microsoft Authenticator are recommended.
Anomaly & Malicious Behavior Detection:
  • k. Review and analyze audit and event logs in order to respond to security incidents.
  • Unique Identity Assignment

  • l. All employees, devices, and applications must have unique identities within the client organization.

  • m. Shared, generic, or default accounts are strictly prohibited except in exceptional cases approved by the client decision maker.

  • n. Identity creation, modification, and deletion events must be logged and auditable.

Technical Controls:

Control ID Description Tools/Methods
a Provision unique identifiers for all users and devices. DTC or Client Procured Identity Management Systems (e.g., Active Directory, Azure AD)
b Deactivate user accounts after 1 year of inactivity. NinjaOne RMM, Microsoft Windows PowerShell, Internet Access
c Disable local administrator accounts after 90 days of inactivity. NinjaOne RMM, Microsoft Windows PowerShell, Internet Access
d Deactivate staging accounts (e.g., installadmin) after 7 days. NinjaOne RMM, Microsoft Windows PowerShell, Internet Access
e Rotate dtcadmin user password at system boot, user login, and weekly. NinjaOne RMM, Microsoft Windows PowerShell, Internet Access
f Rotate built-in Administrator password at system boot, user login, weekly. NinjaOne RMM, Microsoft Windows PowerShell, Internet Access
g Implement Multi-Factor Authentication (MFA) on critical systems. Microsoft Entra ID, Google Workspace, Cloudflare ZTNA Email h Adhere to default password policies of identity providers. Configuration of identity provider settings; Regular policy reviews i Develop customized password policies with clients. Consultation sessions; Quarterly business reviews; Policy development frameworks j. All users accessing, where available per application, must have multi-factor authentication turned on. Consultation sessions; Client application choice; DTC enabled for Entra ID & Google Workspace by default. k. Review and analyze audit and event logs in order to respond to security incidents. SaaS Alerts, Blumira Free Edition l. All employees, devices, and applications must have unique identities within the client organization. Entra ID, Google Workspace, Active Directory m. Shared, generic, or default accounts are strictly prohibited except in exceptional cases approved by the client decision maker. SOP n. Identity creation, modification, and deletion events must be logged and auditable. Entra ID, Google Workspace, Windows Event Log, Blumira Free, SaaS Alerts, Blackpoint

Standard Operating Procedures

Control ID Description Tools/Methods
a Provision unique identifiers for all users and devices. Client Employee On-boarding SOP
b Deactivate user accounts after 1 year of inactivity. SaaS Alerts On-boarding, NinjaRMM Agent Install
c Disable local administrator accounts after 90 days of inactivity. NinjaRMM Agent Install
d Deactivate staging accounts (e.g., installadmin) after 7 days. NinjaRMM Agent Install
e Rotate dtcadmin user password at system boot, user login, and weekly. NinjaRMM Agent Install
f Rotate built-in Administrator password at system boot, user login, weekly. NinjaRMM Agent Install
g
Implement Multi-Factor Authentication (MFA) on critical systems. Microsoft Entra ID, Google Workspace, Cloudflare ZTNA Email h Adhere to default password policies of identity providers. TC i Develop customized password policies with clients. Consultation sessions; Policy development frameworks j. Review and analyze audit and event logs in order to respond to security incidents. Security Incident Queue k. Review and analyze audit and event logs in order to respond to security incidents. Security Incident Queue l. All employees, devices, and applications must have unique identities within the client organization. Client Employee On-boarding SOP m. Shared, generic, or default accounts are strictly prohibited except in exceptional cases approved by the client decision maker. Client Policy or Decision n. Identity creation, modification, and deletion events must be logged and auditable. TC
Back to top