Printed on: 02/18/2019. Please go to for the most current version of the Policy or related document.

Account Management Standard

Appendix to Policy


To ensure authorized access and to prevent unauthorized access to University information and IT resources, accounts must be managed to ensure that access is limited to authorized users with valid need for access to specific resources.

Security Controls

Account Management

The following table defines the baseline security controls for account management.

Control Security Level
ID Description High Medium Low
AM.A.01 Document account and authentication management procedure Required Recommended Optional
AM.A.02 Follow the principle of least privilege access for accounts (e.g., when granting access) Required Required Recommended
AM.A.03 De-provision account or access promptly (suggested: in-voluntary within 1 day, voluntary within 1-10 days) Required Required Recommended
AM.A.04 Reset authentication / password or suspend account after compromise or disclosure Required Required Required
AM.A.05 Use complex password Required Required Recommended
AM.A.06 Enable vendor account only when access is needed Required Required Optional
AM.A.07 Limit knowledge of "root", "Administrator" or equivalent account credentials to minimum number of individuals Required Required Recommended
AM.A.08 Establish auditable authorization of access requests /changes to access (written or electronic) Required Required Recommended
AM.A.09 Review access (suggested: annual) Required 1 Required Optional
AM.A.10 User acknowledgement of account access and responsibilities (suggested: annual) Required Required Optional
AM.A.11 Educate User Required Required Optional

1 PCI-DSS requires quarterly access reviews for systems that store, process, or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Account Management

Published Date

  • November 2014

Document Feedback