SS Data Protection Company, LLC.

User Account Management Policy

Prepared by:
Sharon Y. Brobbey Mensah Cyril

Michael Paul Ansah Ernest Antwi

Frank Ekow Okyere

Bernard Sewor

Nana Boakye

Approved by:
Dr. Noah Darko​
Lead IT Auditor

Effective Date:
March 29th, 2025

Version:
1.0

Confidentiality Notice:
This document contains proprietary and confidential information of SS Data Protection
Company. Unauthorized distribution or reproduction of this document is strictly prohibited.
 SS Data Protection Company

User Account Management Policy

1. Purpose ​
This policy establishes guidelines for the creation, management, and security of user accounts
within SS Data Protection Company. It defines procedures and controls to ensure data security,
confidentiality, integrity, and availability in compliance with GDPR (Article 32), ISO
27001:2022 (Annex A), NIST 800-53 (AC-2, AC-6, AU-12), and SOC 2 (CC6.1 – CC6.8,
CC7.2).

2. Scope.

This policy applies to all employees, contractors, and third-party users who access the
organization’s systems, applications, and data.

3. Roles & Responsibilities

3.1 System Administrators

●​ Provision, modify, and deactivate accounts based on principle of least privilege (NIST
AC-6, ISO 27001:2022 Control 5.18).
●​ Enforce strong password policies and Multi-Factor Authentication (MFA) (ISO
27001:2022 Control 8.3, SOC 2 CC6.6).
●​ Conduct quarterly audits of accounts to ensure compliance (NIST AU-12).
●​ Monitor for suspicious activity and take corrective actions.

3.2 Human Resources (HR) Department

●​ Notify IT of employee status changes (ISO 27001:2022 Control 5.14).

●​ Ensure onboarding and offboarding align with security policies
●​ Communicate policy expectations to employees during induction training.

3.3 End Users

●​ Use accounts only for authorized purposes (ISO 27001:2022 Control 5.10, SOC 2
CC6.2).
●​ Immediately report any suspicious activity or potential breaches to unit heads for further
escalation to the IT department (NIST IR-4).

User Account Management Policy | 1

 SS Data Protection Company

3.4 Chief Information Security Officer (CISO)

●​ Ensure compliance with all relevant security frameworks.

●​ Review access control logs quarterly (ISO 27001:2022 Control 8.16, NIST AU-12).
●​ Provide security training on password management, phishing, and social engineering
(SOC 2 CC7.2).

4. Account Creation & Approval (Ben)

●​ Accounts are created only upon formal requests and approval by the IT Security Manager
(ISO 27001:2022 Control 5.15, NIST AC-2).
●​ Each user must have a unique identifier linked to their identity. (SOC 2 CC6.3, GDPR
Article 32). User authentication and validation must be performed using a username and
password before granting users access to SSDC systems and applications.
●​ Temporary accounts such as contractor or vendor accounts will expire after 90 days of
inactivity, or 90 days after the end of a contract. (NIST AU-12)
●​ Sessions are configured to timeout after 15 minutes of inactivity. (SOC 2 CC6.7).

5. Access Control & Privileges

●​ Access to systems is granted based on the principle of least privilege, ensuring users
have only the permissions necessary to perform their job functions. (NIST AC-6, ISO
27001:2022 Control 5.18).
●​ Access is granted where applicable based on predefined roles aligned with job
functions.(Role-based access) The Security Team shall maintain and update a role matrix
that will be reviewed on a yearly basis or upon significant organizational changes.
●​ Privileged Access Management (PAM) is required for admin accounts (ISO
27001:2022 Control 8.3)..
●​ No single user shall have complete control over critical processes or transactions.
●​ Elevated privileges must be justified, documented, and approved by a supervisor or the
Security Team.
●​ New user access requests must be submitted via the HR management system and
approved by a supervisor or Security Team member.
●​ Access for terminated or departing individuals shall be revoked within 24 hours of
departure; transferred employees’ permissions shall be reviewed and adjusted within 48
hours. (NIST AC-2, SOC 2 CC6.1).

User Account Management Policy | 2

 SS Data Protection Company

6. Account Security Requirements

6.1

●​ Password Complexity: Require passwords to be at least 14 characters, including

uppercase/lowercase letters, numbers, and special characters. ISO 27001:2022 Control
8.3, NIST IA-5). Passwords and or user IDs should not follow any pattern or sequence
that are easy to predict.
●​ Password Manager: Users who have difficulty generating their own strong passwords
are encouraged to use password managers to generate and store strong passwords
securely.
●​ Multi-Factor Authentication (MFA): Users must download Microsoft Authenticator
app to establish multi-factor authentication.
●​ Password Resets: User passwords must be changed every 90 days. Users must not repeat
passwords within a two-year period; the system is configured to reject repeated
passwords.
●​ Shared Credentials: Users must not share credentials or use shared accounts unless
explicitly approved.

6.2. Secure Authentication & Login Practices

●​ Failed Login Attempt Lockout: Lock accounts after 5 failed login attempts. (NIST
AC-7, SOC 2 CC6.6).
●​ Captcha for Repeated Login Attempts: Use CAPTCHAs to differentiate between real
users and automated bots for repeated login attempts from unrecognized locations or
devices.
●​ Secure Password Recovery: Require multi-step verification for password resets,
preventing social engineering attacks.

7. Secure Privileged Accounts (Admin Accounts)

●​ Dedicated Admin Accounts: Separate privileged (admin) accounts from regular user
accounts.
●​ Privileged Access Management (PAM): Use PAM solutions to control and monitor
privileged account activity.
●​ No Direct Root/Admin Access: Require users to log in as a regular user and elevate
privileges as needed (e.g., sudo in Linux).

7.1. Logging, Monitoring, and Incident Response

User Account Management Policy | 3

 SS Data Protection Company

●​ Enable Security Logging: Log all authentication attempts, privilege escalations,

and modifications (NIST AU-12, SOC 2 CC6.8).
●​ Monitor Suspicious Activities: Use Security Information and Event Management
(SIEM) tools (ISO 27001:2022 Control 8.16, NIST AU-12).
●​ Incident Response Plan: Report security incidents within 24 hours (NIST IR-4,
SOC 2 CC7.3).
●​ Log Integrity Protection: Logs must be stored in tamper-proof storage (ISO
27001:2022 Control 8.13, NIST AU-9).

8. Security Awareness & User Training

●​ Educate Users on Security Best Practices: Conduct regular training on phishing, social
engineering, and secure authentication.
●​ Enforce Security Policies: Regularly update and enforce security policies on user
account management.

9. Account Deactivation & Removal

9.1. Roles and Responsibilities

i. Human Resources (HR)

●​ Notify the IT/System Administrators immediately upon employee termination,
resignation, or role change (ISO/IEC 27001:2022 Control 5.14).
●​ Flag contractor/vendor account expiration dates.

ii. IT/System Administrators

●​ Execute account deactivation/removal requests within defined timelines (NIST SP
800-53 AC-2).
●​ Audit and monitor for unauthorized or inactive accounts (CIS Control 5).

iii. Department Managers

●​ Validate access revocation for employees changing roles or projects (CIS Control 5.4).

iv. Automated Systems

●​ Flag accounts inactive for >90 days or exhibiting suspicious activity (NIST IA-4).

9.2. Process
i. Verification

User Account Management Policy | 4

 SS Data Protection Company

●​ Confirm the legitimacy of requests via HR-generated tickets or manager approval

(ISO/IEC 27001:2022 Control 5.15).

ii. Access Revocation

●​ Immediate Actions:
○​ Disable credentials, SSO, VPN, API keys, and session tokens.
○​ Remove user from Active Directory (NIST AC-2, CIS Control 16).
●​ Post-Deactivation:
○​ Transfer ownership of business-critical data to designated personnel.
○​ Securely erase personal data per GDPR Article 17 and HIPAA &164.310(d).

iii. Documentation
●​ Log deactivation date, reason, and responsible personnel in a centralized system
(ISO/IEC 27001:2022 Control 8.13).
●​ Retain logs for a minimum of 6 years for compliance audits.

9.3. Timelines

Action Timeline

Termination Due to Security Violation Immediate

Resignation 24 Hours

Inactive Accounts (>90 days) Flag and warn, delete after 3 warnings

Vendor Account Expiration 7 days post-project completion

10. Policy Enforcement & Violations

●​ Violations may result in disciplinary action, including termination (ISO 27001:2022

Control 5.10).
●​ Security breaches must be reported via the incident response line 3456289789 within 24
hours of the breach. Reports must include the user account’s ID, the suspicious activity,
time and location (NIST IR-4, SOC 2 CC7.3).

User Account Management Policy | 5

 SS Data Protection Company

●​ The company must conduct annual reviews of security policies, security policies and
controls are up to date, and ready to mitigate emerging threats and effective in the
protection of organisational assets. (ISO 27001:2022 Control 5.18).
●​ Any updates must be approved by the IT department and senior management.

Approval & Effective Date: ​

Approved by: Group 13​
Title: IT Audit Team​
Effective Date: 03/29/2025

User Account Management Policy | 6

 SS Data Protection Company

User Acknowledgment Form​

I acknowledge that I have read, understood, and agree to comply with the User Account
Management Policy. I understand that failure to comply may result in disciplinary action and/or
revocation of access privileges.

User Information:

●​ Name: ________________________
●​ Department: ___________________
●​ Job Title: _____________________
●​ Username: _____________________
●​ Date: _________________________
●​ Signature: ____________________

For IT Department Use Only:

●​ Account Created By: _______________

●​ Date: _________________________
●​ Access Level Granted: ______________
●​ Approval Manager: ________________
●​ Signature: _____________________

User Account Management Policy | 7