User Access and Account Management Standard
Purpose
This standard defines the technical and procedural requirements for creating, managing, and deactivating user accounts in RS Tech Services’ Windows Active Directory (AD) and Microsoft 365 environment.
It ensures consistent application of the User Access and Account Management Policy and supports secure, auditable user-account practices.
Scope
This standard applies to all RS Tech Services employees, contractors, and third-party users who access company systems, applications, or data.
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| IT Operations Team | Create, modify, disable, and delete user accounts; maintain audit logs. |
| HR Department | Initiate access-provisioning and off-boarding requests. |
| Managers / Supervisors | Approve access requests and conduct quarterly reviews of user access. |
| System Owners | Define role-based access requirements for their applications. |
Account Creation Requirements
- Accounts may be created only after written or ticket-based authorization from HR or a manager.
- Unique usernames must be used for all individual accounts.
- Shared or generic accounts are prohibited except for documented service accounts approved by IT management.
- Service accounts must:
- Use randomly generated passwords ≥ 20 characters.
- Be restricted to specific systems and purposes.
- Rotate credentials every 60 days.
Access Assignment and Control
- Access granted according to least privilege and role-based access control (RBAC) principles.
- Membership in privileged groups (e.g., Domain Admins, Global Admins) requires written justification and management approval.
- Privileged accounts must be separate from standard user accounts.
- All administrative actions must be audited and logged.
Authentication and Password Standards
- Password length: minimum 12 characters for user accounts; 20 characters for administrative accounts.
- Must include uppercase, lowercase, numeric, and special characters.
- Password reuse is restricted for the last 24 passwords.
- Expiration: every 90 days for regular users; every 60 days for administrators.
- Multi-factor authentication (MFA) is required for all Microsoft 365 and VPN logins.
- Default passwords must be changed upon first use.
Account Review and Recertification
- Quarterly access reviews conducted by managers using the User Access Review Form.
- System owners perform monthly privileged account reviews.
- Inactive accounts > 45 days automatically disabled by Active Directory policy.
- Disabled accounts deleted after 90 days unless retained for legal or forensic purposes.
Account Deactivation Requirements
- HR must notify IT immediately upon employee termination or contract end.
- IT must disable accounts immediately upon notification.
- Managers are responsible for transferring ownership of email and files.
- Reference the Account Deactivation SOP for step-by-step procedures.
Logging and Monitoring
- Log all login attempts (successful and failed) and retain for one year.
- Enable Microsoft 365 audit logging and Azure AD sign-in reports.
- Generate alerts for repeated failed logins, disabled account access attempts, and privilege escalations.
Third-Party and Temporary Access
- Vendors and contractors must sign a Confidentiality and Access Agreement before account issuance.
- Temporary accounts must have an expiration date ≤ 30 days.
- Extensions require renewal approval and documented justification.
Exceptions
Any deviation from this standard must be approved in writing by the IT Operations Manager and documented in the exception log with a defined expiration date.
Review Cycle
This standard must be reviewed annually or upon significant change to the technical environment or applicable security frameworks.
Compliance and References
This standard supports and enforces the following policies and control frameworks:
- RS Tech Services – User Access and Account Management Policy
- ISO/IEC 27001:2013 / 2022 – Annex A.9.2.6 Removal or Adjustment of Access Rights
- NIST SP 800-53 Rev. 5 – AC-2 (Account Management)
- SOC 2 Trust Services Criteria – Security Principle: Logical Access Controls
Revision History
| Version | Date | Description of Change | Author |
|---|---|---|---|
| 1.0 | 09-01-2025 | Initial Draft | R. Steele |