Collect
Identify credential sources; require admin access handoff; record scope and system ownership.
Store and control access
Store in controlled vault; enforce role-based access; require MFA where supported.
Rotate and audit
Rotate on onboarding, offboarding, and incidents; audit access and stale credentials on schedule.