Back to T5.2.1 - P1 - USER REGISTRATION
The access control procedure for user registration and de-registration should include:
A. Using unique user IDs to enable users to be linked to and held responsible for their actions; the use of shared IDs should only be permitted where they are necessary for business or operational reasons and should be approved and documented
B. Verifying that the user has authorization from the owner of the information system or service for the use of the information system or service; separate approval for access rights from management may also be appropriate
C. Verifying that the level of access granted is appropriate to the business purpose and is consistent with organizational security policy, e.g. it does not compromise segregation of duties
D. Ensuring service providers do not provide access until authorization procedures have been completed
E. Maintaining a formal record of all persons registered to use systems and service centrally
F. Immediately removing or blocking access rights of users who have changed roles or jobs or left the entity
G. Periodically identifying, and removing or blocking, redundant user IDs and redundant and inactive accounts
H. Ensuring that redundant user IDs are not issued to other users
Back to T5.2.1 - P1 - USER REGISTRATION
