Credentials Management Runbook

Define the process for assigning, provisioning, managing, and disabling credentials for all employees, contractors, and customer accounts that access eXpress badging® systems, including the Veonics® Portal.

🛠️ Scope

Applies to:

  • Internal users (Admins, Employees, Executives, Contractors)

  • Customer users (Production, Subscription, Admin accounts)

  • Service accounts (databases, APIs, directory services)

Owner

  • Technical Operations Lead

  • Reviewed quarterly during EOS Scorecard reviews


1️⃣ Credential Assignment (Joiner)

  1. Request: Manager or Customer Admin submits a ticket in Jira/HubSpot with business justification.

  2. Approval: Department Head (internal) or Customer Admin (customer) must approve.

  3. Provisioning:

    • Unique user ID created (no shared accounts).

    • Assigned least privilege role (Customer User, Production User, Subscription User, Admin).

    • Passwords generated per Group Policy (minimum length, complexity, rotation).

    • MFA enabled for Admin or elevated accounts.

  4. Acknowledgment: User must accept Acceptable Use & PII Handling policy.


2️⃣ Credential Use & Enforcement

  • Passwords: Minimum 8 characters, upper/lowercase, numeric, special characters.

  • Lockouts: Account locks after repeated failed login attempts.

  • Timeouts: Sessions automatically expire after ≤15 minutes idle.

  • Rotation: Internal credentials rotated quarterly; customer admins may enforce their own policies.

  • Service Accounts: Configured with least privilege IAM roles in AWS; reviewed quarterly.


3️⃣ Credential Review (Mover)

  • Role changes require a new ticket with justification and approval.

  • Excess rights must be removed first before granting new permissions.

  • Jira/HubSpot ticket logs changes for audit tracking.

  • Service account permissions revalidated quarterly.


4️⃣ Credential Deactivation (Leaver)

  • Upon HR/customer notification, credentials are disabled within minutes.

  • Steps include:

    • Disable user account in the Veonics® Portal or AD.

    • Revoke tokens/API keys.

    • Remove group memberships.

    • Collect hardware tokens, if issued.

  • Documentation of deactivation attached to the Jira/HubSpot ticket.


5️⃣ Compromised Account Handling

  • If suspicious activity detected:

    • Account disabled immediately.

    • SOC/IT investigates incident logs.

    • New credentials provisioned only after clearance.

    • Logged as a security incident under Incident & Breach Response Process.


6️⃣ Evidence & Monitoring

  • Screenshots from Group Policy / credential management tools available under NDA.

  • Audit logs retained for all provisioning, changes, and deactivations.

  • SOC monitoring detects anomalies and escalates for response.


📊 NIST CSF 2.0 Alignment

Function Practice
Identify (ID) Role and privilege mapping per Accountability Chart
Protect (PR) Password complexity, MFA, lockout, session timeout
Detect (DE) SOC anomaly monitoring, failed login alerts
Respond (RS) Ticketing, account disablement, incident escalation
Recover (RC) Credential resets, quarterly access reviews