Account Management Standard

1 PURPOSEÌý

Enterprise Technology & Services (ET&S) is charged by the Â鶹ÊÓƵÏÂÔØ (Â鶹ÊÓƵÏÂÔØ) to protect the integrity, confidentiality, and availability of systems and information. This standard establishes directives for managing the digital identity accounts that facilitate access or changes to Â鶹ÊÓƵÏÂÔØ’s information technology resources.

2 SCOPEÌý

This standard applies to the following accounts issued from the Â鶹ÊÓƵÏÂÔØ:

2.1Ìý Primary Account

Primary accounts are the most common account type. It is often referred to as the Â鶹ÊÓƵÏÂÔØ username and password. All active faculty, staff, and students of GSC, KSC, PSU, UNH, and the Â鶹ÊÓƵÏÂÔØ System Office are assigned a Primary Account, usually named after the individual (ex: firstname.lastname@yourinstitution.edu). Primary Accounts allow individuals access to Â鶹ÊÓƵÏÂÔØ information technology systems, devices, and services, requiring single sign-on (SSO). Examples include Canvas, Microsoft Office 365, and Kronos. All Primary Accounts are subject to Â鶹ÊÓƵÏÂÔØ Information Security Standards and Policies, and the individual to whom the Primary Account is assigned is responsible for the appropriate use of that account.

2.2Ìý Secondary Account

The secondary account is also referred to as privileged or elevated access account. This is a second account with a different username and password that is assigned to an individual who has a business need that requires multiple accounts with varying levels of access (i.e., system administrators who require administrative accounts with elevated security permissions, whichÌýmust be separate from those of their Primary Accounts). All Secondary Accounts are subject to all Â鶹ÊÓƵÏÂÔØ Information Security Standards and Policies, and the individual to whom the Secondary Account is assigned is responsible for the appropriate use of that account.

2.3Ìý Pool Account

This IT Account is controlled by a designated Â鶹ÊÓƵÏÂÔØ employee, called the Guardian of the account, and is assigned to a specific person, called the account user (usually an hourly or temporary student employee), with a set expiration date. The Guardian of the account will supervise the use of this account, ensure that it is used in compliance with all Â鶹ÊÓƵÏÂÔØ and all Information Security Standards and Policies, and work with the IT Account Administrators to maintain the records related to users of the Pool Account. The default expiration dates for Pool Accounts are set to the end of the current fiscal year (unless otherwise noted) but no longer than one year. Over time, the Pool Account can be re-assigned to several people but can never be assigned to more than one person at a time. Upon notification by the Guardian that the user of the account has left their position, IT Accounts Administrators will disable the Pool Account. When there is a new user who requires the use of the Pool Account, the Guardian is responsible for requesting that it be re-activated and re-assigned. All Pool Accounts are subject to this and all Â鶹ÊÓƵÏÂÔØ Information Security Standards and Policies, and the individual to whom the Pool Account is currently assigned is responsible for the appropriate use of that account.

2.4Ìý Sponsored IT Account

This type of primary account is assigned to a non-affiliate of the University who has business with Â鶹ÊÓƵÏÂÔØ requiring access to IT resources. This includes, but is not limited to, volunteers, contractors, visiting students, and scholars. Sponsored IT Accounts require yearly approval and renewal by a President, Vice President, Provost, Dean, or Designated Sponsor Representative (DSR). All Sponsored IT Accounts are subject to this and all Â鶹ÊÓƵÏÂÔØ Information Security Standards and Policies. The individual to whom the Sponsored IT Account is assigned is responsible for the appropriate use of that account.

2.5Ìý Service Account

A service account is a dedicated account with escalated privileges for running applications and other processes. Service accounts may also be created to own data and configuration files. They are not intended to be used by people except for administrative operations.

3 STANDARDÌý

Account management includes requesting, issuing, modifying, and disabling all Â鶹ÊÓƵÏÂÔØ information technology accounts. All account access considerations shall be made per the Â鶹ÊÓƵÏÂÔØ Access Management Standard.

3.1 Account Creation

3.1.1Ìý Before creating user accounts, the sponsoring unit or division shall verify the user’s affiliation with Â鶹ÊÓƵÏÂÔØ.

3.1.2Ìý Accounts are reserved for Â鶹ÊÓƵÏÂÔØ faculty, staff, students, and applicants. Other individuals affiliated or otherwise needing Â鶹ÊÓƵÏÂÔØ credentials shall request an account provisioned per the Â鶹ÊÓƵÏÂÔØ Sponsored Account Standard.

3.1.3Ìý Enterprise information technology account usernames shall conform to the Â鶹ÊÓƵÏÂÔØ account username convention. • Accounts shall be provisioned following a role-based access scheme.

3.1.4Ìý The principle of least privilege shall be applied when provisioning accounts. Users shall not be granted any more privileges than necessary for functions the user will be performing.

  • Non-privileged user accounts must be used and only elevated to root or Administrator when necessary. A secure mechanism to escalate privileges (e.g., via User Account Control or via sudo) with a standard account is acceptable to meet this requirement.
  • Privileged accounts must not be used for non-privileged activities.
  • Â鶹ÊÓƵÏÂÔØ enterprise administrative accounts are reserved for Â鶹ÊÓƵÏÂÔØ employees with a demonstrated needÌý
  • All privileged account activity is required to be logged and monitored per the Â鶹ÊÓƵÏÂÔØ Log management standard.

3.1.5Ìý Vendor or contractor accounts requiring elevated privileges shall make arrangements per the Â鶹ÊÓƵÏÂÔØ Sponsored Account Standard and/or the Exception process.

3.1.6Ìý There shall be one user associated with an account.

3.1.7Ìý Account usage requires the account owners’ formal review acknowledging they have read and understood the Â鶹ÊÓƵÏÂÔØ Acceptable Use Policy (AUP).

3.1.8Ìý Devices must be configured with separate accounts for privileged (administrator) and nonprivileged (user) access.

3.2 Account Management

ET&S shall establish and maintain an inventory of all information technology accounts managed within Â鶹ÊÓƵÏÂÔØ.

  • The inventory, at a minimum, shall contain the user’s first and last name, username, start/ stop dates, and department.
  • When feasible, centralized authentication and account management shall be employed through the central Â鶹ÊÓƵÏÂÔØ directory or identity service.

3.2.1 Account and Access Reviews

• All active Â鶹ÊÓƵÏÂÔØ privileged accounts shall be authorized on a recurring schedule, at a minimum annually.

• Access modifications shall include valid authorization from appropriate administrative, academic, or business unit management and ET&S.

Ìý Ìý Ìý Ìý Ìý Ìý o The Identity and Access Management team shall review active directory-privileged accounts.

Ìý Ìý Ìý Ìý Ìý Ìý o The appropriate business unit leadership shall review local privileged/administrative accounts.

• The employee's manager is responsible for reviewing employee accounts and access privileges with ET&S upon job changes (e.g., termination, position changes).

3.3 Account Protection

• All accounts used to access Â鶹ÊÓƵÏÂÔØ’s information technology resource shall comply with the Â鶹ÊÓƵÏÂÔØ Password Policy.

• System administrator accounts shall use centralized authentication.

• Central authentication systems should lock user accounts in accordance with industry best practices.

• Administrators shall verify user identity prior to re-enabling or resetting user accounts.

• Multi-factor authentication (MFA) is required for all Â鶹ÊÓƵÏÂÔØ administrator accounts. Exceptions may be granted based on operational needs through the formal Â鶹ÊÓƵÏÂÔØ exception process. All service accounts should be non-interactive (e.g., those used for backups), their use should be monitored, they should adhere to the Â鶹ÊÓƵÏÂÔØ password policy and be stored in the enterprise password safe.

• In some cases, Â鶹ÊÓƵÏÂÔØ users may be asked to provide identify verification when working with the ET&S team to validate the correct user and help prevent identity theft and/or fraud.

3.4 Disabling and Deletion of Accounts

  • Accounts out of compliance with the Â鶹ÊÓƵÏÂÔØ Password Policy will be disabled and may be deleted.
  • All user accounts must be deprovisioned, and access attributes removed immediately upon separation unless a prior exception is in place. o Faculty leaving Â鶹ÊÓƵÏÂÔØ in good standing may request access for up to 90 days past their last day of employment.
  • ET&S will assist users with data transfer upon request.
  • Self-service mechanisms may not be used to re-enable the account.

3.5 Local Administrative Accounts

In adherence to the cybersecurity principle of least privilege, ET&S will not enable local administrative rights on Â鶹ÊÓƵÏÂÔØ-owned systems by default. Individuals needing elevated privileges submit an exception request with a business justification.

DOCUMENT HISTORY

  • Drafted: Â鶹ÊÓƵÏÂÔØ Cybersecurity GRC Reviewed by: Â鶹ÊÓƵÏÂÔØ Cybersecurity Committee
  • Revision History: ÌýK Sweeney, December 14, 2023, section 4.3
    • K Sweeney, May 30, 2024, formatting
    • C Grebloski, January 10, 2025, section 3.3
  • Approved by: Thomas Nudd, Chief Information Security Officer