Define the process for assigning, provisioning, managing, and disabling credentials for all employees, contractors, and customer accounts that access eXpress badging® systems, including the Veonics® Portal.
🛠️ Scope
Applies to:
-
Internal users (Admins, Employees, Executives, Contractors)
-
Customer users (Production, Subscription, Admin accounts)
-
Service accounts (databases, APIs, directory services)
Owner
-
Technical Operations Lead
-
Reviewed quarterly during EOS Scorecard reviews
1️⃣ Credential Assignment (Joiner)
-
Request: Manager or Customer Admin submits a ticket in Jira/HubSpot with business justification.
-
Approval: Department Head (internal) or Customer Admin (customer) must approve.
-
Provisioning:
-
Unique user ID created (no shared accounts).
-
Assigned least privilege role (Customer User, Production User, Subscription User, Admin).
-
Passwords generated per Group Policy (minimum length, complexity, rotation).
-
MFA enabled for Admin or elevated accounts.
-
-
Acknowledgment: User must accept Acceptable Use & PII Handling policy.
2️⃣ Credential Use & Enforcement
-
Passwords: Minimum 8 characters, upper/lowercase, numeric, special characters.
-
Lockouts: Account locks after repeated failed login attempts.
-
Timeouts: Sessions automatically expire after ≤15 minutes idle.
-
Rotation: Internal credentials rotated quarterly; customer admins may enforce their own policies.
-
Service Accounts: Configured with least privilege IAM roles in AWS; reviewed quarterly.
3️⃣ Credential Review (Mover)
-
Role changes require a new ticket with justification and approval.
-
Excess rights must be removed first before granting new permissions.
-
Jira/HubSpot ticket logs changes for audit tracking.
-
Service account permissions revalidated quarterly.
4️⃣ Credential Deactivation (Leaver)
-
Upon HR/customer notification, credentials are disabled within minutes.
-
Steps include:
-
Disable user account in the Veonics® Portal or AD.
-
Revoke tokens/API keys.
-
Remove group memberships.
-
Collect hardware tokens, if issued.
-
-
Documentation of deactivation attached to the Jira/HubSpot ticket.
5️⃣ Compromised Account Handling
-
If suspicious activity detected:
-
Account disabled immediately.
-
SOC/IT investigates incident logs.
-
New credentials provisioned only after clearance.
-
Logged as a security incident under Incident & Breach Response Process.
-
6️⃣ Evidence & Monitoring
-
Screenshots from Group Policy / credential management tools available under NDA.
-
Audit logs retained for all provisioning, changes, and deactivations.
-
SOC monitoring detects anomalies and escalates for response.
📊 NIST CSF 2.0 Alignment
Function | Practice |
---|---|
Identify (ID) | Role and privilege mapping per Accountability Chart |
Protect (PR) | Password complexity, MFA, lockout, session timeout |
Detect (DE) | SOC anomaly monitoring, failed login alerts |
Respond (RS) | Ticketing, account disablement, incident escalation |
Recover (RC) | Credential resets, quarterly access reviews |