Administrative users and groups that have access rights to the web server must be documented.

There are typically several individuals and groups that are involved in running a production web site. In most cases, we can identify several types of users on a web server. These are the System Administrators (SAs), Web Managers, Auditors, Authors, Developers, and the Clients. Accounts will be restricted to those who are necessary to maintain web services, review the server’s operation, and the operating system. A detailed record of these accounts must be maintained.