User Account and Privilege Management Policy - SME

The User Account and Privilege Management Policy (P11S) is a comprehensive, SME-focused offering designed to govern the creation, use, monitoring, and removal of user accounts and privileges within an organization. As a policy adapted from global standards and regulatory mandates, it establishes a framework to ensure only authorized users have proper access, a critical control for preventing unauthorized activity and reducing insider threats. Notably, P11S is written specifically for small and medium-sized enterprises (SMEs), as indicated by the General Manager’s (GM) accountability and the absence of complex IT governance structures like dedicated SOCs or CISOs. This approach makes high-assurance access control achievable and manageable for organizations lacking large security teams, while retaining alignment with ISO/IEC 27001:2022 and related frameworks. The policy applies to all employees, contractors, interns, and third parties with access to organizational IT systems. It covers traditional user accounts, administrator and service accounts, as well as temporary or guest credentials. The rules span the entire account lifecycle, from initial onboarding and provisioning, to periodic review and access revocation during offboarding. Every user is allocated a unique, traceable identity to ensure accountability, with shared credentials explicitly forbidden except under controlled, documented exceptions. Elevated privileges must undergo an added layer of justification and authorization, always subject to documentation and periodic review. Roles and responsibilities are simplified and clear: the GM provides overall oversight, ensuring policy adherence and addressing any security incidents related to user accounts. Implementation and technical enforcement tasks fall to the IT Lead (or external IT provider), who manages provisioning, disabling, monitoring, and logging, all strictly based on documented approvals. Line managers play a crucial part in requesting, reviewing, and validating access as their team members’ roles shift, while every user is held accountable for safeguarding their credentials and reporting suspicious activity. The policy is tightly governed, requiring all account changes, creations, deactivations, privilege escalations, to be logged and associated with named individuals. Periodic reviews of access are mandated at least every six months. Password complexity, multi-factor authentication wherever possible, account lockout after failed attempts, and systematic review of service and third-party accounts are hardwired into the rules. Offboarding procedures ensure prompt access removal and retrieval of all digital tokens or devices, reducing lingering access risks. Exception management is held to a high standard: any deviation from core policy (such as the rare use of shared or test accounts) must be justified in writing, compensated with additional controls, reviewed quarterly, and subject to eventual revocation. Emergency “break glass” accounts are permitted only under defined, documented conditions and must be reset following use. The policy stipulates regular audits, security incident reviews, and annual updates to maintain alignment with evolving regulatory and business requirements. Finally, it links explicitly to companion policies that respectively cover governance, access control, onboarding/termination, security awareness, and incident response, ensuring a holistic approach to access management and compliance.