The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.
Identity verification must be performed according to pre-written and approved rules.
The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.
The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.
Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.
If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.