Eleven golden rules for user registration controls

ISO27002 recommends that an organization’s user registration process should cover the following:
1. Unique user identifications (IDs) should be issued so that users can be linked to, and made responsible for, their actions.

2. The user’s access rights should be documented and describe what assets and systems the user is allowed to access.

3. System owners should authorize proposed users to use the system, and the access rights document should also be authorized by the individual’s line manager, to ensure that it is appropriate.

4. The access rights granted should reflect the access policy in that they are in line with the definitions therein as to who needs access to what.

5. Ensure that the users get a written statement of their access rights.

6. This user access statement should also refer explicitly to password management, to specific privileges that have been granted, to acceptable password structures and to the requirement for a password-protected screen saver and power off when not in use

7. Ensure that service providers do not provide access until formal authorization processes are completed.

8. A copy of the signed document should be placed on the employee’s (or third-party contractor’s) individual file. The network administrator who is issuing the user name should also retain a copy so that he or she is at any time able to evidence that the listed user names on his or her system are all authorized.

9. The access rights of people who change jobs or leave the organization should be immediately removed.

10. Redundant user IDs should be removed; the user name register should be periodically checked against the current payroll and HR and third-party contractor files to ensure that only currently authorized individuals have user names.

11. Redundant user IDs should never be reissued.

source: IT Governance, Alan Calder & Steve Watkinss