Account Management Standard

1 PURPOSE 

Enterprise Technology & Services (ET&S) is charged by the 69ÀÖÔ° (69ÀÖÔ°) to protect the integrity, confidentiality, and availability of systems and information. This standard establishes directives for managing the digital identity accounts that facilitate access or changes to 69ÀÖ԰’s information technology resources.

2 SCOPE 

This standard applies to the following accounts issued from the 69ÀÖÔ°:

2.1  Primary Account

Primary accounts are the most common account type. It is often referred to as the 69ÀÖÔ° username and password. All active faculty, staff, and students of GSC, KSC, PSU, UNH, and the 69ÀÖÔ° System Office are assigned a Primary Account, usually named after the individual (ex: firstname.lastname@yourinstitution.edu). Primary Accounts allow individuals access to 69ÀÖÔ° information technology systems, devices, and services, requiring single sign-on (SSO). Examples include Canvas, Microsoft Office 365, and Kronos. All Primary Accounts are subject to 69ÀÖÔ° Information Security Standards and Policies, and the individual to whom the Primary Account is assigned is responsible for the appropriate use of that account.

2.2  Secondary Account

The secondary account is also referred to as privileged or elevated access account. This is a second account with a different username and password that is assigned to an individual who has a business need that requires multiple accounts with varying levels of access (i.e., system administrators who require administrative accounts with elevated security permissions, which must be separate from those of their Primary Accounts). All Secondary Accounts are subject to all 69ÀÖÔ° Information Security Standards and Policies, and the individual to whom the Secondary Account is assigned is responsible for the appropriate use of that account.

2.3  Pool Account

This IT Account is controlled by a designated 69ÀÖÔ° employee, called the Guardian of the account, and is assigned to a specific person, called the account user (usually an hourly or temporary student employee), with a set expiration date. The Guardian of the account will supervise the use of this account, ensure that it is used in compliance with all 69ÀÖÔ° and all Information Security Standards and Policies, and work with the IT Account Administrators to maintain the records related to users of the Pool Account. The default expiration dates for Pool Accounts are set to the end of the current fiscal year (unless otherwise noted) but no longer than one year. Over time, the Pool Account can be re-assigned to several people but can never be assigned to more than one person at a time. Upon notification by the Guardian that the user of the account has left their position, IT Accounts Administrators will disable the Pool Account. When there is a new user who requires the use of the Pool Account, the Guardian is responsible for requesting that it be re-activated and re-assigned. All Pool Accounts are subject to this and all 69ÀÖÔ° Information Security Standards and Policies, and the individual to whom the Pool Account is currently assigned is responsible for the appropriate use of that account.

2.4  Sponsored IT Account

This type of primary account is assigned to a non-affiliate of the University who has business with 69ÀÖÔ° requiring access to IT resources. This includes, but is not limited to, volunteers, contractors, visiting students, and scholars. Sponsored IT Accounts require yearly approval and renewal by a President, Vice President, Provost, Dean, or Designated Sponsor Representative (DSR). All Sponsored IT Accounts are subject to this and all 69ÀÖÔ° Information Security Standards and Policies. The individual to whom the Sponsored IT Account is assigned is responsible for the appropriate use of that account.

2.5  Service Account

A service account is a dedicated account with escalated privileges for running applications and other processes. Service accounts may also be created to own data and configuration files. They are not intended to be used by people except for administrative operations.

3 STANDARD 

Account management includes requesting, issuing, modifying, and disabling all 69ÀÖÔ° information technology accounts. All account access considerations shall be made per the 69ÀÖÔ° Access Management Standard.

3.1 Account Creation

3.1.1  Before creating user accounts, the sponsoring unit or division shall verify the user’s affiliation with 69ÀÖÔ°.

3.1.2  Accounts are reserved for 69ÀÖÔ° faculty, staff, students, and applicants. Other individuals affiliated or otherwise needing 69ÀÖÔ° credentials shall request an account provisioned per the 69ÀÖÔ° Sponsored Account Standard.

3.1.3  Enterprise information technology account usernames shall conform to the 69ÀÖÔ° account username convention. • Accounts shall be provisioned following a role-based access scheme.

3.1.4  The principle of least privilege shall be applied when provisioning accounts. Users shall not be granted any more privileges than necessary for functions the user will be performing.

  • Non-privileged user accounts must be used and only elevated to root or Administrator when necessary. A secure mechanism to escalate privileges (e.g., via User Account Control or via sudo) with a standard account is acceptable to meet this requirement.
  • Privileged accounts must not be used for non-privileged activities.
  • 69ÀÖÔ° enterprise administrative accounts are reserved for 69ÀÖÔ° employees with a demonstrated need 
  • All privileged account activity is required to be logged and monitored per the 69ÀÖÔ° Log management standard.

3.1.5  Vendor or contractor accounts requiring elevated privileges shall make arrangements per the 69ÀÖÔ° Sponsored Account Standard and/or the Exception process.

3.1.6  There shall be one user associated with an account.

3.1.7  Account usage requires the account owners’ formal review acknowledging they have read and understood the 69ÀÖÔ° Acceptable Use Policy (AUP).

3.1.8  Devices must be configured with separate accounts for privileged (administrator) and nonprivileged (user) access.

3.2 Account Management

ET&S shall establish and maintain an inventory of all information technology accounts managed within 69ÀÖÔ°.

  • The inventory, at a minimum, shall contain the user’s first and last name, username, start/ stop dates, and department.
  • When feasible, centralized authentication and account management shall be employed through the central 69ÀÖÔ° directory or identity service.

3.2.1 Account and Access Reviews

  • All active 69ÀÖÔ° privileged accounts shall be authorized on a recurring schedule, at a minimum annually.
  • Access modifications shall include valid authorization from appropriate administrative, academic, or business unit management and ET&S.
    • The Identity and Access Management team shall review active directory-privileged accounts.
    • The appropriate business unit leadership shall review local privileged/administrative accounts.
  • The employee's manager is responsible for reviewing employee accounts and access privileges with ET&S upon job changes (e.g., termination, position changes).

3.3 Account Protection

  • All accounts used to access 69ÀÖ԰’s information technology resource shall comply with the 69ÀÖÔ° Password Policy.
  • System administrator accounts shall use centralized authentication.
  • Central authentication systems should lock user accounts in accordance with industry best practices.
  • Administrators shall verify user identity prior to re-enabling or resetting user accounts.
  • Multi-factor authentication (MFA) is required for all 69ÀÖÔ° administrator accounts. Exceptions may be granted based on operational needs through the formal 69ÀÖÔ° exception process. All service accounts should be non-interactive (e.g., those used for backups), their use should be monitored, they should adhere to the 69ÀÖÔ° password policy and be stored in the enterprise password safe.
  • In some cases, 69ÀÖÔ° users may be asked to provide identify verification when working with the ET&S team to validate the correct user and help prevent identity theft and/or fraud.

3.4 Disabling and Deletion of Accounts

  • Accounts out of compliance with the 69ÀÖÔ° Password Policy will be disabled and may be deleted.
  • All user accounts must be deprovisioned, and access attributes removed immediately upon separation unless a prior exception is in place. o Faculty leaving 69ÀÖÔ° in good standing may request access for up to 90 days past their last day of employment.
  • ET&S will assist users with data transfer upon request.
  • Self-service mechanisms may not be used to re-enable the account.

3.5 Local Administrative Accounts

In adherence to the cybersecurity principle of least privilege, ET&S shall not enable local administrative rights on 69ÀÖÔ°-owned systems by default. Individuals needing elevated privileges submit an exception request with a business justification.

DOCUMENT HISTORY

  • Drafted: 69ÀÖÔ° Cybersecurity GRC Reviewed by: 69ÀÖÔ° Cybersecurity Committee
  • Revision History:  K Sweeney, December 14, 2023, section 4.3
    • K Sweeney, May 30, 2024, formatting
    • C Grebloski, January 10, 2025, section 3.3
  • Approved by: Thomas Nudd, Chief Information Security Officer
    • REVISED AND UPDATED FORMATTING, CYBERSECURITY GRC 1 June 2025