Account Management Standard
Date of Current Revision or Creation: December 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to define the account management requirements used by Old Dominion University.
Definitions
Customer-facing Systems include hardware, software or other technology with user interfaces or applications that directly interact with customers.
Data Owners - University directors (typically at the level of Registrar, or Unit Director) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of University data under their purview.
Guest Accounts are those where the user self asserts their identification and contact information for temporary or emergency access to University systems.
Information Security Officer (ISO) - The Old Dominion University employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion University's information technology (IT) security program.
Internal-facing Systems include hardware, software or other technology used within the organization and are not exposed/available outside the organization.
MIDAS is an acronym for the Monarch Identification and Authorization System, a central identity and password manager.
Principle of "Least Privilege" is a security concept promoting minimal user profile privileges on computers, based on users' job functions.
Privileged Accounts are accounts that provide elevated or non-restrictive access to the underlying platform that non-privileged user accounts don't have access to.
Sensitive System - Sensitive System is a term given to any IT system in which the classification is confidential or higher according to ITS Standard 2.3.0 Data Administration and Classification.
Service Accounts - privileged accounts that may not correspond to an actual person and are often built-in accounts that services use to access resources to perform activities. However, some system services require actual user accounts to perform certain functions.
System Administrator - the analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Administrator.
System Owners - manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview.
Standards Statement
Account management requirements identify those steps necessary to formalize the process of requesting, granting, administering, and terminating accounts. Where possible, the centrally managed MIDAS system is used to manage and control access to ODU hosted or contracted systems. However, this standard applies to all accounts on IT systems, including accounts used by vendors and third parties. Systems not using MIDAS are responsible for developing and documenting account management practices based on the University's IT Standards.
Issuing Accounts
When issuing accounts, the standard security principle of "least privilege" to perform a function must be used. Accounts should not be granted any more privileges than those that are necessary for the functions the user will be performing. Access levels are to be associated with group or role membership, where practical, and all such IT system user accounts must belong to at least one user group.
For internal-facing systems, employee position descriptions should accurately reflect assigned duties and responsibilities in order to define required IT system access.
A documented request from the user to establish or modify an account on any IT system is required. Proper authorization and approval by the IT system user's Budget Unit Director and the System Owner is required to establish accounts. The System Owner may delegate this authorization and approval task to the Data Owners or others if desired. A user account must only be used by the person to whom it is assigned.
Unless required by regulatory requirements, accounts remain valid for the duration the individual maintains the relevant status within the University or until the account is closed or suspended by the University. Users are responsible for the lawful and appropriate use of information technology resources as described in the Acceptable Use Standard.
The identity of users must be authenticated before providing them with account and password details. Authentication and authorization requirements are to be based on sensitivity and risk. The use of second-factor authentication, such as tokens and biometrics, for access to sensitive IT systems should be considered based upon risk.
No user is allowed to authorize their own access. Administrators who have access to add or elevate account privileges should have procedures in place for logging changes.
Passwords
Confirmation of the user's request for access credentials must be based on information already on file prior to delivery of the access credentials. Passwords for accounts must be delivered to users of all customer-facing IT systems securely. The use of non-shared, unique passwords on sensitive IT systems is required. Initial passwords must be changed upon first use unless the initial password was user selected using a secure method.
Automated password resets may be utilized, provided that a recognized and ISO approved method is used, such as multiple, random challenge and response questions. Password change events should be recorded in an audit log.
Managing Accounts
Processes to create, suspend, disable, and terminate user accounts should be documented and approved by the System Owner or designee of the system.
Supervisors should notify Human Resources and System Administrators in a timely manner about termination, transfer, or changes in access level requirements of IT system users.
Occasional reports from Human Resources and or other sources may be used in periodic batch termination processes. These processes should be established with the respective business units as part of larger maintenance processes.
Unneeded accounts are to be disabled. Data in unneeded accounts in a disabled state is to be retained in accordance with the ODU's records retention policy.
System Owners and the Data Owners are to investigate any unusual IT system access activities and approve changes to access level authorizations.
At least annual review of all user accounts for sensitive IT system is required to assess the continued need for the accounts and access level and periodic review of user accounts for other IT systems.
Privileged Accounts
Privileged accounts have a level of access above that of a normal user. Privileged access is typically granted to system administrators and staff performing computing account administration, or other such employees whose job duties require special privileges over a computing system or network. Individuals with privileged access must comply with applicable policies and IT standards.
- Administrator Access
Local administrator rights, or the equivalent on non-Microsoft Windows-based IT systems, should be granted only to authorized individuals. - Service Accounts
Service accounts are a type of account necessary for systems to operate or interoperate. The System Owner is responsible for designating and maintaining a list of individuals who have access to the account. The documentation should be available upon request for an audit or a security assessment. - System Administrator Accounts
System administrator accounts perform super-user functions such as performing installs, altering critical system configurations or data, granting permissions to other accounts, etc. System Administrators are required to have both an administrative account and at least one user account and are required to use their administrative accounts only when performing tasks that require administrative privileges. At least two individuals should have administrative accounts to each IT system, to provide continuity of operations.
Guest Accounts
A guest account establishes a user's identity and provides temporary or emergency access to specific technology resources. Guest accounts may be used on non-sensitive systems where the System Owner has determined their use to be safe and necessary.
Requests for vendor/emergency guest accounts to all sensitive systems must be documented according to standard practice and maintained on file, include access attributes for the account, be approved by the System Owner and communicated to the Information Security officer and must include and expire after a predetermined period, based on sensitivity and risk. Guest accounts may be used on non-sensitive systems where the System Owner has determined their use to be safe and necessary.
Shared Accounts
Microsoft Exchange mailbox accounts may be shared by multiple users as long as a single individual is designated as the owner.
Other shared accounts may be authorized by the System Owner to meet business needs and for the continuity of operations and must be coordinated with the IDM team for proper access controls and documentation
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3501 - IT Access Control
- University Policy 3505 - Information Technology Security
- IT Standard 9.1.0 Acceptable Use
- IT Standard 2.11.0 Password Management
- Universal Account Request Form
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
February 2014 |
IT Policy Office |
Minor rewording for clarity |
July 2015 | IT Policy Office | Reorganized for clarity; added definitions, privileged accounts info |
December 2018 | IT Policy Office | Definitions and links checked |
December 2021 | IT Policy Office | Definitions and links checked; minor wording changes |