Account hygiene refers to the ongoing practices and measures taken to ensure that user accounts within an enterprise are securely managed and protected. This includes implementing robust password policies, regularly reviewing accounts for inactivity, deactivating dormant or unused accounts, and preventing unauthorised access through strong authentication methods. The goal is to maintain secure access to enterprise systems, mitigate risks from potential breaches, and ensure that sensitive data is only accessed by authorised personnel.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure1.1: Implement Strong Password Policies and Practices

Does your enterprise enforce strong password policies to ensure that employees create unique, complex passwords for their accounts?
Example: Require a mix of uppercase and lowercase letters, numbers, and special characters in passwords, and encourage regular password changes. Implement multi-factor authentication (MFA) for an added layer of security.

Measure 1.2: Regularly Review and Cleanse User Accounts.

Does your enterprise regularly review all user accounts to ensure that only active employees have access to your systems?
Example: Conduct quarterly reviews of user accounts to disable or remove accounts belonging to former employees, contractors, or anyone who no longer requires access.

Measure 1.3: Deactivate Inactive Accounts

Does your enterprise flag and deactivate accounts that have been inactive for a set period (e.g., 30, 60, or 90 days)?
Example: Set up automated alerts to notify administrators when user accounts have been inactive for the specified duration, prompting a review for deactivation.

Measure 1.4: Implement Multi-Factor Authentication (MFA)

Does your enterprise enforce MFA to add an extra layer of security on user accounts?
Example: Require employees to use MFA, such as Google Authenticator, Microsoft Authenticator, or hardware tokens, to secure their accounts and prevent unauthorised access.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 1.5: Conduct Risk Assessments on User Access and Privileges

Does your enterprise regularly evaluate user access to ensure employees have only the permissions necessary to perform their job functions?
Example: Implement role-based access control (RBAC) to ensure employees only have access to the systems and data relevant to their roles, reducing the risk of accidental or malicious exposure.

Measure 1.6: Automate User Account Provisioning and Deactivation

Does your enterprise automate the process of creating, updating, and deactivating user accounts?
Example: Use Identity and Access Management (IAM) tools like Okta or Azure AD to automatically provision accounts for new employees and deactivate accounts when they leave the company.

Measure 1.7: Implement Secure Password Management Practices

Does your enterprise enforce the use of secure password management tools for storing credentials and ensuring password complexity?
Example: Encourage employees to use password managers, such as 1Password or PMP, to store complex passwords and ensure that passwords are not reused across systems.

Measure 1.8: Regularly Train Employees on Account Security Best Practices

Does your enterprise provide regular training to employees on secure account management and how to spot phishing attempts or other account security threats?
Example: Offer training sessions on password security, MFA, and how to spot phishing emails, ensuring employees understand their role in maintaining account security.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 1.9: Implement Advanced Authentication Methods

Does your enterprise implement advanced authentication methods such as biometrics or adaptive authentication for high-level access or sensitive systems?
Example: Use fingerprint or facial recognition for admin accounts to enhance security and reduce the risk of unauthorised access.

Measure 1.10: Enforce Password Expiry and History Policies

Does your enterprise have policies in place to enforce regular password changes and prevent users from reusing previous passwords?
Example: Require employees to change their passwords every 60 to 90 days and ensure that the last five passwords cannot be reused.

Measure 1.11: Conduct Regular Access Reviews and Audits
Does your enterprise conduct comprehensive access reviews and audits to ensure users have the correct permissions and no unnecessary access to sensitive data or systems?
Example: Schedule regular audits to review user access and permissions and adjust them as needed based on role changes, promotions, or terminations.

Measure 1.12: Monitor Account Activity and Suspicious Logins
Does your enterprise continuously monitor user account activity to detect and respond to suspicious logins or unauthorised access attempts?
Example: Use Security Information and Event Management (SIEM) tools like Splunk or SolarWinds to track user activity and set alerts for abnormal login attempts or failed access attempts.

———————————————————————————————————