Account and Credential Management Policy
1. Purpose
Establish requirements for managing user accounts, service accounts, and credentials to ensure proper identity governance and access control across [ORGANIZATION]'s information systems.
2. Scope
This policy applies to all user accounts, service accounts, shared accounts, and associated credentials for all [ORGANIZATION]'s information systems, applications, and services.
3. Policy
3.1 Account Lifecycle Management
A centralized account management process shall be established covering the complete lifecycle: request, approval, provisioning, review, modification, and deprovisioning of accounts.
Account creation shall require documented authorization from the user's manager and, for privileged accounts, from [CUSTOMIZE: CISO/IT Director].
Account deprovisioning shall occur within [CUSTOMIZE: 24 hours] of personnel separation (termination, resignation, or end of contract).
Accounts inactive for [CUSTOMIZE: 45/60/90] days shall be automatically disabled. Disabled accounts not reactivated within [CUSTOMIZE: 30] days shall be deleted.
All account provisioning, modification, and deprovisioning actions shall be logged and auditable.
3.2 Password and Credential Requirements
Passwords shall meet the following minimum requirements: minimum [CUSTOMIZE: 12/14/16] characters in length, not match a list of known-compromised passwords, not contain the username or common dictionary words, and be changed immediately if compromise is suspected.
Unique credentials shall be required for each user. Shared accounts are prohibited except where technically unavoidable, in which case they shall be documented with compensating controls.
Service account credentials shall be managed through a secrets management solution, rotated at least [CUSTOMIZE: quarterly/annually], and not embedded in source code.
Default credentials on all systems and applications shall be changed before deployment to production.
3.3 Multi-Factor Authentication
Multi-factor authentication (MFA) shall be required for: all remote access connections, all privileged account access, access to Confidential and Restricted data, cloud service administrative consoles, and VPN connections.
MFA methods shall use at least two of: something you know (password), something you have (token, smart card, phone), or something you are (biometric).
SMS-based MFA is discouraged. Authenticator applications, hardware tokens, or FIDO2/WebAuthn are preferred.
MFA shall be enforced for all externally-accessible applications within [CUSTOMIZE: 6/12] months of this policy effective date.
3.4 Access Reviews
User access rights shall be reviewed at least [CUSTOMIZE: quarterly/bi-annually] by the account owner's manager to verify continued appropriateness.
Privileged access shall be reviewed at least [CUSTOMIZE: quarterly] by [CUSTOMIZE: CISO/IT Security Team].
Access review findings requiring remediation shall be addressed within [CUSTOMIZE: 14/30] days.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control