Policy
Policy Name
System ID Management Policy

Overview
A system ID (also known as service account) is primarily used for automation, authenticating system or application resources or services to name a few. System ID's are differentiated from User ID's in that they are "faceless", but still require to be uniquely identified, tracked and associated to appropriate individual or information resource.

Statement
  • System ID's must have an owner who is an employee and is accountable for it's usage.
  • System ID's must require authentication of credentials.
  • System ID's must be traceable (e.g. audit logged) to the assigned resource or owner.
  • Unique System ID's must be used for production and non-production environments (e.g. development, test, etc.) and must not span different environments.
  • Default ID's (e.g. system or vendor ID's used to access systems, applications or devices) must be disabled or removed before implementation.
  • System ID's may only be shared if controlled via an approved Access Control process that include authorization and audit trail to track activity to an individual (for accountability).

Justification

The following benefits will be achieved:

  • System ID activity will be identified and access to resources tracked
  • Ensure system ID's are used for their intended purpose
  • Ensure privileged and system access is appropriately managed to ensure authorized access

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Access Control
System ID Management