6\VWHP $GPLQLVWUDWLRQ 0DGH (DV\

Chapter 12: User AdministrationRecommended Policies and ProceduresSome of the tasks in this guidebook are aimed at complying with common audit procedures.Obtaining proper authorization and documentation should be a standard prerequisite for alluser administration actions.User administration tasks comprise the following: User ID naming conventions The employee’s company ID number (for example, e0123456) Last name, first initial, or first name, last initialIn a small company where names are often used as ID, it is common to use theemployee’s last name and first initial of the first name or the employee’s first nameand first initial of the last name (for example, doej or johnd, for John Doe). Clearly identifiable user IDs for temporary employees and consultants (for example,T123456, C123456). Adding or changing a user The user’s manager should sign a completed user add-or-change form. The form should indicate the required security, job role, etc., that defines howsecurity is assigned in your company. If security crosses departments or organizations, the affected managers should alsogive their approval. If the user is not a permanent employee, or if the access is to be for a limited time, thetime period and the expiration date should be indicated. The forms should be filed by employee name or ID. A periodic audit should be performed, where all approved authorizations areverified against what was assigned to the user. Users leaving the company or changing jobs This event is particularly sensitive.The policies and procedures for this event must be developed in advance and becoordinated by many groups. As an example, see the table below.System Adminstration Made Easy12–3