Categories Topics
User ID Management

Identity represents who someone is to include unique characteristics (such as user ID) that differentiate from other individuals. User ID's should be appropriately managed as critical component of the organization's Identity Management (and Access Control) program.  Identity Management is the practice of managing identities, their associated roles, authorization and privileges within the organization.

The following User ID guidelines should apply:
  • User ID's should be unique
  • User ID's must have a documented owner who is accountable for it's usage
  • User ID's should not be shared to ensure accountability
  • User ID's must require authentication of credentials
  • User ID's should be traceable (e.g. audit logged) to the assigned user or owner
  • User ID's should be disabled after termination of employment, contract or business relationship
  • Inactive ID's should be disabled or suspended after a period of inactivity (e.g. 90 days)
  • Disabled ID's should be deleted or removed after a period of time of inactivity (e.g. 180 days)
  • Privileged ID's should have a documented business need (e.g. functional role) or justification 

Please see "Access Control" topic for additional guidelines related to Identity and Access Control recommendations.

Topic Category
Access Control
News Articles
For some cloud services more than 75% of accounts are utilized by hackers10/4/2018
Clarksons says single user account to blame for data breachwww.zdnet.com7/31/2018
Estonia blocks certificates on 760,000 ID cards due to identity theft riskwww.helpnetsecurity.com11/3/2017
Apple iCloud ransom demands: The facts you need to knowwww.zdnet.com3/24/2017
Third-Party Twitter Service Hacked to Push Out Nazi-Themed Tweetswww.tripwire.com3/15/2017
Researchers spot uptick in apparel and food delivery online fraudwww.scmagazine.com3/3/2017
Paper factory fired its sysadmin. He returned via VPN and caused $1m in damage. Now
Nigeria launches new biometric ID card - brought to you by Mastercardwww.zdnet.com8/29/2014
Salesforce launches identity service, eyes Oktawww.zdnet.com10/15/2013
Contractor Accesses 2 Million Vodafone Germany Customer Recordsthreatpost.com9/12/2013
Internet Census 2012 Data: Millions of Devices Vulnerable by Defaultthreatpost.com9/11/2013
New York Times, Twitter domain hijackers 'came in through front door'
Syrian Electronic Army Cracks GoDaddy
Bradley Manning sentenced to 35 years in
Syrian Electronic Army hijacks Thomson Reuters' Twitter feednews.cnet.com7/29/2013
20 Critical Security Controls: Control 16 – Account Monitoringwww.tripwire.com7/24/2013
Hollywood hospital fires six for snooping into patient recordsnakedsecurity.sophos.com7/16/2013
WellPoint takes $1.7 million hit over HIPAA slipwww.zdnet.com7/11/2013
McAfee intros single sign-on, one-time password controls for cloudwww.zdnet.com4/25/2013
Cloud service answers question 'who are you?'www.zdnet.com1/10/2013
Toyota sues programmer for 'sabotaging' computer networkwww.zdnet.com8/30/2012
Patient Data Theft Sends IT Specialist To Jailwww.informationweek.com1/17/2012
NYC authorities charge 55 in cyber fraud, ID theft ringwww.scmagazine.com12/19/2011
How To Spot Malicious Insiders Before Data Theftwww.informationweek.com12/8/2011
Countrywide insider gets eight months in prison for theftwww.scmagazine.com9/28/2011
WikiLeaks Tests Feasibility Of Government Data Securitywww.informationweek.com7/28/2011
FBI Arrests Four For Insider Tradingwww.informationweek.com12/17/2010
User ID Management Policy
FIPS 201-2 Standard for Personal Identity Verification of Federal Employees and ContractorsFIPS9/5/2013
NIST SP 800-73-4, Interfaces for Personal Identity VerificationNIST6/1/2015
NIST 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)NIST7/30/2015
NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) CredentialsNIST12/19/2014