Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
Information asset access credentials are created based on an authorization from the system’s asset owner or authorized custodian
Processes are in place to remove credential access when an individual no longer requires such access
The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.