S 4.67 Locking and deleting database accounts which are no longer required

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

If a user to be newly created only requires a database account for a limited period of time, then the corresponding user account should only be set up for a limited period of time (if the database used provides such an option). It can be advantageous to only set up all accounts for a limited period of time in general and to extend this time limit at regular intervals (e.g. annually) as required.

Furthermore, the database administration should be informed as quickly as possible whenever a user leaves the organisation permanently. The account for this user should be locked no later than on the user's last working day.

When users switch to a different role, to a different area of responsibility, or to other projects, the database accounts which are no longer needed must be locked or the access rights for these accounts adjusted accordingly.

Furthermore, it should be checked regularly if the existing database accounts are actually still needed. In particular, all unneeded default accounts should be locked.

Review questions:

• Are database accounts set up for a limited period of time, at least if the user only requires this account for a limited period of time and if this is technically feasible?
• Is it checked at regular intervals whether existing database accounts with the specified access rights are still required?
• Are database accounts which are no longer needed, and default accounts in particular, locked and/or the access rights adjusted accordingly?