|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Database accounts which remain unused over an extended period of time should, if possible, be locked and later deleted. Users of such accounts should be informed duly before these accounts are locked, and at all events before they are deleted.
If a to be newly created user only requires a database account for a limited period of time, then, if the database offers this possibility, the account should also be established for a limited period. It can prove expedient to establish accounts initially for a limited period and extend their duration at regular intervals (e.g. annually) as required.
If a user of a database is expected to remain absent for an extended period of time (e.g. due to holidays, sick leave, delegation etc.), his database account should, in order to prevent continued use of his ID over this period, be locked for this duration. The database administrator must be notified of all extended periods of user absence. It is expedient to have this done by the personnel department using standard notifications of absence.
Furthermore, the database administration should be informed as quickly as possible about user departures. The accounts of departing users should be deleted no later than on their last day of work.
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |