Technology Standard

Version: 1.0
Status: Approved: 02/21/07
Contact: Director, Technology Services

To provide guidelines necessary to implement account management standards and procedures to protect System Office and College IT systems and data.

In accordance with the COV ITRM 501-01, Account Management standards and procedures must be implemented to ensure the steps necessary for requesting, granting, administering, and terminating accounts at the Systems Office and colleges are formalized.

The Account Management Standard is applicable to the System Office and all Colleges.

STANDARD

An account generally consists of a user ID and a password and supplying this account information will grant the user access to a set of resources and services based on the request and proper approvals. The requirements and recommendations below establish best practices for administration of accounts that provide access to System Office and College IT systems.

The System Office and Colleges must grant user access to IT systems and data based on the principle of least privilege. The principle of least privilege requires that a user be given no more privilege than necessary to perform a job.

The employee’s supervisor and the Data Owner must authorize and approve access to the IT system.

Criminal background checks, required by the System Office or College, should be completed before, establishing an account.

The Employee Work Profile (EWP) should clearly justify an employee’s approved access to IT systems.

The System Office or College should include back-ground check requirements, if required, in the EWP of applicable employees.

The System Office or College must perform an annual review of all user accounts for sensitive IT systems to ensure the access remains accurate and proper.

The System Office or College should perform an annual review of user access to other IT systems to ensure the access remains accurate and proper.

Additionally, periodic audits and reviews of all user accounts for IT systems are recommended. For example, the CIPPS Report 829 may be used to verify on a monthly, bi-monthly, or quarterly basis that terminated employees have been properly removed and serves as a good practice for auditing current processes for removing terminated employees.

The System Office or College must have procedures in place that outline the steps personnel must take to notify the proper individuals when user accounts are no longer required or when a user account should be updated based on a change in an employee’s EWP core duties. Situations requiring a change may include termination, transfer, or changes in duties and each should be addressed in the procedures, as well as, who is responsible for each step of the process.

Unusual IT system activities should be investigated by the System Owner and System Administrator. Changes to IT system access level authorizations will be approved by the System Owner and System Administrator. All records must be updated to reflect any changes in IT system access levels.

Requirement:

Authentication and authorization requirements must be defined based on sensitivity and risk of the IT system and data. The System Office or College may consider additional authentication methods (examples include cryptographic, biometric authentication, tokens, etc.) based on sensitivity and risk.

Additional controls must be in place to ensure accounts are proper and remain current. This includes:

• Prohibiting the use of shared accounts.
• Prohibiting the use of guest accounts.
• Locking an account automatically if not used for a predefined period.
• Disabling unneeded accounts.

Requirement:

Unneeded accounts should be retained in a disabled state in accordance with the System Office or College records retention policy.

Requirement:

Access levels should be associated with group membership when possible and require that all IT system users be a member of at least one user group.

Personnel Security Standard