Account Management Guidelines and Procedures

Legislative History: Approved by the President: 2004/04/28; Reviewed by UEC;

Approval Authority: President


Description: Pursuant to Policy on Computing and Information Technology Facilities


Purpose

These guidelines and procedures are intended to guide the establishment of effective account management procedures which promote the security and integrity of University information technology systems and the information they contain.

Scope

These guidelines and procedures apply to all accounts on University Information Technology (I.T.) systems and supplement and clarify the principles set out in the University Policy on Computing and Information Technology Facilities.

Roles and Responsibilities

Account Holder: The individual or group which is assigned the Account.

System Managers: Those who own and/or have management authority for I.T. systems.

Account Administrators: Those who support Accounts by adding, modifying, assigning passwords, or other account attributes.

Definitions

Account: A combination of username and password or other authentication combination which allows access to a system or service.

System Account: An Account which has a purpose related to administration of a specific application or system.

Guidelines

General

  1. Account Establishment and Duration: Each Account shall be for the individual use of an identified student, staff, faculty, vendor, or guest of the University. Accounts remain valid for the duration the individual maintains the relevant status within the University or until the account is suspended by the University.
  2. Vendor Accounts: An account may be issued to a vendor under contract to the University that shall be valid for the length of the agreement between the University and the vendor.
  3. Multiple Status Users: Individuals who have multiple statuses with the University (e.g. student and employee) shall obtain separate accounts to fulfill the requirements of each status.
  4. Temporary Accounts: Accounts set up for use by temporary workers shall be assigned to a single individual at a time.
  5. Account Sharing Prohibited: Sharing of accounts is strictly prohibited.
  6. Password Change Requirements: Account Holders may change their password at any time in accordance with departmental procedures. Account Holders who have forgotten their password must request a password reset and provide conclusive identifying information to Account Administrators.
  7. Suspending Accounts: Accounts may be voluntarily suspended at any time by the Account Holder to prevent their misuse. Account Administrators may suspend accounts which have expired passwords, have violated these guidelines, or have been involved in any other abuse referenced by the Senate Policy on Computing and Information Technology Systems or where the Account Holder has ceased to have the relevant status with the University.

System Accounts

Guidelines for system accounts are the same as the above with the following additions and changes:

  1. Account Establishment and Duration: System Accounts must be sponsored by a System Manager who takes responsibility for the use of the account.
  2. Account Usage: System Accounts are specifically for system or application use only and shall not be used for any purpose other than facilitating the operation of the system or application.
  3. Group Access: System Accounts may be shared by a group of individuals for the purpose of operation and administration of the application or system only. In these cases, when possible, access to system accounts shall be via methods which allow logins to be accountable to the individual accessing it.
  4. Insecure Network Access Restriction: Access to System Accounts via methods in which account information is passed in “plain-text”, such as telnet, ftp, or http, shall be denied unless no other more secure method is available.
  5. Default Passwords: Accounts and passwords which are part of the default setup of a system shall be disabled or changed. This includes passwords for configuration access, SNMP community strings, database accounts, etc.

Password Standards

All Account Holders are expected to follow the standards outlined below to prevent the compromise of systems and data. System Managers shall make use of automated mechanisms for enforcement of these passwords standards on all systems where such mechanisms exist.

  1. Passwords for individual accounts must be changed by the user at least annually.
  2. Passwords which have been changed by an Account Administrator shall be changed again by the Account Holder before the Account may be used.
  3. Passwords which grant login access to a system or provide access to private/confidential data must not be transmitted via “plain-text” electronic methods, including email, telnet, ftp, http, etc.
  4. Passwords shall:
      1. Contain characters from each of the following categories, to the extent that the system will allow:
        1. Upper case letters.
        2. Lower case letters.
        3. Numerical digits.
        4. Punctuation and miscellaneous characters.
      2. Have a minimum length of eight characters.
      3. Not be a recognizable word, or slang, dialect, jargon, etc.
      4. Not based on personal information such as family names, birthdates, etc.
  5. Choose a different password for each Account which permits access to confidential information.
  6. Account Holders shall not use any “Remember Password” feature for any account which grants login access to a system or provides access to confidential information. Exceptions to this are password-caching agents which only store passwords for re-use during an existing login session.
  7. Account Holders shall not store or transmit electronically in any unencrypted form passwords for accounts which grant login access to a system or provide access to confidential information.
  8. Account Holders shall not store or transmit a password non-electronically in any method that is likely to result in others obtaining it (sticky notes on monitor, etc.).
  9. Account Holders shall not provide their password to anyone, including Account Administrators and System Managers.
  10. System Managers shall ensure that no procedures require Account Holders to reveal their passwords to anyone.

Procedures

All groups supporting Accounts must develop and document account management practices based on the principals set forth in these guidelines. Documented procedures must exist for Account issuance, password changes, suspension and removal, and eligibility monitoring.

Where such accounts are issued, procedures must also include the following:

  1. Vendor Account Duration: The University representative who serves as key contact with the Vendor is responsible for ensuring vendor Accounts are valid no longer than the duration of the relevant agreement between the vendor and the University, and notifying the appropriate Account Administrator regarding changes to the Account.
  2. Temporary Account Access: Temporary accounts shall have the password changed by each individual user, and the account shall be suspended when not assigned.