System Management Policies

In addition to setting policies for users, you should also have some defined policies for system administrators. There should be a procedure for situations such as adding users, removing users, dealing with security issues, and modifying any system. That is not all — procedures are also used to handle any unusual deviation.

Policies for New Starters

When a new employee is hired, the system administration policy should include the following.

• The new employee’s account should be set up only with the permissions required for their role.
• The new employee’s initial password should be set to something temporary that they will be required to change on first login.
• The new employee should be provided with a copy of company policies and sign an acknowledgement.
• Access to systems should be granted on a need-to-know basis.

Policies for Departing Employees

When an employee leaves the company (whether voluntarily or not), their accounts need to be managed carefully. At a minimum, the following steps should be included in your offboarding procedure.

• Their account should be disabled as soon as they leave — not simply renamed or have its password changed.
• Access to all external services (VPN, email, cloud storage) should be revoked.
• Any shared passwords that the departing employee was aware of should be changed.
• Physical access (keys, access cards) should be recovered.

Change Management

Any change to the systems — whether adding software, changing configurations, or modifying the network — should follow a formal change management process. The key components of such a process include the following.

• Request: The change is formally requested and described.
• Assessment: The potential impact and risks are assessed.
• Approval: The change is approved by the appropriate authority.
• Implementation: The change is carried out in a controlled manner.
• Review: The change is reviewed to ensure it achieved the desired outcome.

Your change management process does not need to have these exact headings. These headings indicate what work generally needs to be done. In fact, your organisation may have a much more specific policy.

Additionally, it is important for every new employee to receive a copy of the company’s computer security acceptable use policies and to sign a document acknowledging receipt.