All users of your ICT systems should only be provided with the user privileges that they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high risk or day-to-day user activities. Monitor user activity, particularly all access to sensitive information and privileged account actions (such as creating new user accounts, changes to user passwords and deletion of accounts and audit logs).