Is authentication to privileged systems supporting ‘s data, done using two factor authentication?
Are initial passwords randomly generated strings
provided via a password reset mechanism to each
Is the password reset upon first use?
Do all passwords follow best practice of at least 12
characters, and require a mix of upper and lower case
letters, numbers, and special characters?
If service accounts are necessary for device or process
authentication, are the accounts created by the central
identity management team and assigned to a member
of the team using the account (separation of duties)?
Are company and service accounts managed centrally
and deleted automatically when an individual leaves
Are accounts provisioned as part of the established
account creation process?
Are accounts uniquely assigned to new employees,
contractors, or subcontractors upon hire?
Does the system make use of company-assigned
accounts for unique access by individuals?
Are account identifiers reused? (i.e. using the same username more than once)re user accounts different form their eMail accounts?