You are here

Account Management

See the Account Management Standard in the University's Information Security policy for specific requirements that you must follow.

Standard and Process

Manage accounts in all stages of the life-cycle of user access:

  • authorizing access based on current role and responsibilities;
  • granting initial access;
  • periodic review of access granted;
  • changing access as user roles change (e.g., job responsibilities change);
  • removing access from users who no longer require access (e.g., termination, transfer to another University unit); and,
  • establishing, resetting and expiring authentication.

Account management includes:

  • documentation of account and authentication management procedures;
  • segregation of duties from authorization to managing accounts;
  • communication to user about use and responsibilities for maintaining the account and authentication; and,
  • periodic review of accounts.

For information on type of authentication to use (e.g., single-factor or multi-factor), see the Authentication standard.

Complex passwords are defined as:

  • length of 8-12 with at least three types of characters (e.g., lower case letters, upper case letters, numbers, special characters)
  • length of 13 or more


Include in the procedure document the roles of data owners, data custodians and others involved for account authorization, provisioning and de-provisioning, and user communication, including which role is responsible for each task:

  • define types of accounts and their use (individual, group, system, application, guest/anonymous, temporary);
  • check that the level of access requested is appropriate for the business purpose and does not compromise segregation of duties;
  • provide information needed to document account provisioning, account de-provisioning, type of confirmation of access rights for user, storage of the requests, granting of access after authorization is complete;
  • type of authentication used (e.g., single-factor or multi-factor) and password complexity rules;
  • verify the identity of a user prior to providing a new, replacement or temporary authentication/password;
  • educate users on their responsibilities related to their account and authentication/password (see User Education section);
  • remove or block access when the user changes position, role, or has left the University; and,
  • conduct periodic reviews for appropriate user access, inactive/active accounts, redundant use of user IDs, shared accounts.

User Education

Communication to users about access should include:

  • process for requesting, changing and terminating access;
  • requirements for password complexity (e.g., length, types of characters);
  • authentication/password resets and expiration;
  • confidentiality of authentication/passwords; and,
  • notifying University Information Security ( of security incidents, including potential compromises of authentication/password or access

Individuals should use different passwords for their user level and system administrator accounts on multi-user systems (e.g., sudo for Unix, or local admin for Windows).

IT staff are responsible for working with users, data owners and service directors on establishing account and authentication/password management.

Users, data owners and service directors are responsible for working with IT staff to properly use the appropriate authentication(s) for their support or user role(s).

More Information

Document Owner: University Information Security

Document Approvers: Brian Dahlin, Chief Information Security Officer; Patton Fast, University Enterprise Architect

Effective Date: December 2013

Last Reviewed Date: November 2014