We've been using the same passwords and app access for quite a while now, and I'm trying to figure out a realistic schedule for reviewing these. Should it be monthly, quarterly, or just when someone leaves the company? I want to balance security with practicality here, so I'd love to hear what others do.
5 Answers
We do have rules for user passwords, but we only enforce access reviews by system owners. For sensitive systems, it’s quarterly, and for others, it’s annual. Having a structured review process helps manage risk effectively.
For account access reviews, I’d say quarterly or maybe every six months works well. As for service passwords, a good rule of thumb is to update them every 180 days or even longer if needed.
In my last job, service accounts had to be updated every three days, and we eventually moved to a system where passwords were changed every 12 hours. It's super crucial to keep tight control on those, especially if you’re using things like CyberArk for management.
I'm not a fan of requiring frequent password resets as it often leads to weaker passwords. Instead, I recommend implementing a solid password policy that enforces complexity and history requirements. This way, users can change their passwords only when there's a real issue, like a security breach. Also, consider extra security measures like conditional access and MFA to keep things tight!
Definitely! When we told everyone to change passwords, the main concern was how often they’d have to do it. I said there’s no set schedule unless we face new security threats, which reduced the pushback significantly.
It really varies based on your organization’s size and needs. In our large company, we take the following approach:
- Standard user accounts: passwords expire after a year.
- Service accounts: usually every 90 days, but sometimes longer for non-critical services.
- Critical access is reviewed monthly, while other services get quarterly checks.
NIST backs you up on this! Frequent resets aren't necessarily effective.