APPENDIX TO POLICY

Account Management Standard

Objective

To ensure authorized access and to prevent unauthorized access to University information and IT resources, accounts must be managed to ensure that access is limited to authorized users with valid need for access to specific resources.

Security Controls

Account Management

The following table defines the baseline security controls for account management.

Control

Security Level

ID

Description

High

Medium

Low

AM.A.01

Document account and authentication management procedure

Required

Recommended

Optional

AM.A.02

Follow the principle of least privilege access for accounts (e.g., when granting access)

Required

Required

Recommended

AM.A.03

De-provision account or access promptly (suggested: in-voluntary within 1 day, voluntary within 1-10 days)

Required

Required

Recommended

AM.A.04

Reset authentication / password or suspend account after compromise or disclosure

Required

Required

Required

AM.A.05

Use complex password

Required

Required

Recommended

AM.A.06

Enable vendor account only when access is needed

Required

Required

Optional

AM.A.07

Limit knowledge of "root", "Administrator" or equivalent account credentials to minimum number of individuals

Required

Required

Recommended

AM.A.08

Establish auditable authorization of access requests /changes to access (written or electronic)

Required

Required

Recommended

AM.A.09

Review access (suggested: annual)

Required 1

Required

Optional

AM.A.10

User acknowledgement of account access and responsibilities (suggested: annual)

Required

Required

Optional

AM.A.11

Educate User

Required

Required

Optional

1 PCI-DSS requires quarterly access reviews for systems that store, process, or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Account Management

Published Date

  • November 2014

Document Feedback