Account Management Standard
Appendix to Policy
To ensure authorized access and to prevent unauthorized access to University information and IT resources, accounts must be managed to ensure that access is limited to authorized users with valid need for access to specific resources.
The following table defines the baseline security controls for account management.
|AM.A.01||Document account and authentication management procedure||Required||Recommended||Optional|
|AM.A.02||Follow the principle of least privilege access for accounts (e.g., when granting access)||Required||Required||Recommended|
|AM.A.03||De-provision account or access promptly (suggested: in-voluntary within 1 day, voluntary within 1-10 days)||Required||Required||Recommended|
|AM.A.04||Reset authentication / password or suspend account after compromise or disclosure||Required||Required||Required|
|AM.A.05||Use complex password||Required||Required||Recommended|
|AM.A.06||Enable vendor account only when access is needed||Required||Required||Optional|
|AM.A.07||Limit knowledge of "root", "Administrator" or equivalent account credentials to minimum number of individuals||Required||Required||Recommended|
|AM.A.08||Establish auditable authorization of access requests /changes to access (written or electronic)||Required||Required||Recommended|
|AM.A.09||Review access (suggested: annual)||Required 1||Required||Optional|
|AM.A.10||User acknowledgement of account access and responsibilities (suggested: annual)||Required||Required||Optional|
1 PCI-DSS requires quarterly access reviews for systems that store, process, or transmit cardholder data, or support the credit card processing environment.
This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .
This standard applies to University community members who use or manage University IT resources.
More information on Account Management
- November 2014