Standard and Process
Manage accounts in all stages of the life-cycle of user access:
- authorizing access based on current role and responsibilities;
- granting initial access;
- periodic review of access granted;
- changing access as user roles change (e.g., job responsibilities change);
- removing access from users who no longer require access (e.g., termination, transfer to another University unit); and,
- establishing, resetting and expiring authentication.
Account management includes:
- documentation of account and authentication management procedures;
- segregation of duties from authorization to managing accounts;
- communication to user about use and responsibilities for maintaining the account and authentication; and,
- periodic review of accounts.
For information on type of authentication to use (e.g., single-factor or multi-factor), see the Authentication standard.
Complex passwords are defined as:
- length of 8-12 with at least three types of characters (e.g., lower case letters, upper case letters, numbers, special characters)
- length of 13 or more
Include in the procedure document the roles of data owners, data custodians and others involved for account authorization, provisioning and de-provisioning, and user communication, including which role is responsible for each task:
- define types of accounts and their use (individual, group, system, application, guest/anonymous, temporary);
- check that the level of access requested is appropriate for the business purpose and does not compromise segregation of duties;
- provide information needed to document account provisioning, account de-provisioning, type of confirmation of access rights for user, storage of the requests, granting of access after authorization is complete;
- type of authentication used (e.g., single-factor or multi-factor) and password complexity rules;
- verify the identity of a user prior to providing a new, replacement or temporary authentication/password;
- educate users on their responsibilities related to their account and authentication/password (see User Education section);
- remove or block access when the user changes position, role, or has left the University; and,
- conduct periodic reviews for appropriate user access, inactive/active accounts, redundant use of user IDs, shared accounts.
Communication to users about access should include:
- process for requesting, changing and terminating access;
- requirements for password complexity (e.g., length, types of characters);
- authentication/password resets and expiration;
- confidentiality of authentication/passwords; and,
- notifying University Information Security (firstname.lastname@example.org) of security incidents, including potential compromises of authentication/password or access
Individuals should use different passwords for their user level and system administrator accounts on multi-user systems (e.g., sudo for Unix, or local admin for Windows).
IT staff are responsible for working with users, data owners and service directors on establishing account and authentication/password management.
Users, data owners and service directors are responsible for working with IT staff to properly use the appropriate authentication(s) for their support or user role(s).
- This standard is based on the principles of ISO/IEC 27002:2005.
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Patton Fast, University Enterprise Architect
Effective Date: December 2013
Last Reviewed Date: November 2014