1 PURPOSEÂ
Enterprise Technology & Services (ET&S) is charged by the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û) to protect the integrity, confidentiality, and availability of systems and information. This standard establishes directives for managing the digital identity accounts that facilitate access or changes to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û’s information technology resources.
2 SCOPEÂ
This standard applies to the following accounts issued from the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û:
Primary accounts are the most common account type. It is often referred to as the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û username and password. All active faculty, staff, and students of GSC, KSC, PSU, UNH, and the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û System Office are assigned a Primary Account, usually named after the individual (ex: firstname.lastname@yourinstitution.edu). Primary Accounts allow individuals access to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology systems, devices, and services, requiring single sign-on (SSO). Examples include Canvas, Microsoft Office 365, and Kronos. All Primary Accounts are subject to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Information Security Standards and Policies, and the individual to whom the Primary Account is assigned is responsible for the appropriate use of that account.
The secondary account is also referred to as privileged or elevated access account. This is a second account with a different username and password that is assigned to an individual who has a business need that requires multiple accounts with varying levels of access (i.e., system administrators who require administrative accounts with elevated security permissions, which must be separate from those of their Primary Accounts). All Secondary Accounts are subject to all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Information Security Standards and Policies, and the individual to whom the Secondary Account is assigned is responsible for the appropriate use of that account.
This IT Account is controlled by a designated ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employee, called the Guardian of the account, and is assigned to a specific person, called the account user (usually an hourly or temporary student employee), with a set expiration date. The Guardian of the account will supervise the use of this account, ensure that it is used in compliance with all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and all Information Security Standards and Policies, and work with the IT Account Administrators to maintain the records related to users of the Pool Account. The default expiration dates for Pool Accounts are set to the end of the current fiscal year (unless otherwise noted) but no longer than one year. Over time, the Pool Account can be re-assigned to several people but can never be assigned to more than one person at a time. Upon notification by the Guardian that the user of the account has left their position, IT Accounts Administrators will disable the Pool Account. When there is a new user who requires the use of the Pool Account, the Guardian is responsible for requesting that it be re-activated and re-assigned. All Pool Accounts are subject to this and all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Information Security Standards and Policies, and the individual to whom the Pool Account is currently assigned is responsible for the appropriate use of that account.
This type of primary account is assigned to a non-affiliate of the University who has business with ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û requiring access to IT resources. This includes, but is not limited to, volunteers, contractors, visiting students, and scholars. Sponsored IT Accounts require yearly approval and renewal by a President, Vice President, Provost, Dean, or Designated Sponsor Representative (DSR). All Sponsored IT Accounts are subject to this and all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Information Security Standards and Policies. The individual to whom the Sponsored IT Account is assigned is responsible for the appropriate use of that account.
A service account is a dedicated account with escalated privileges for running applications and other processes. Service accounts may also be created to own data and configuration files. They are not intended to be used by people except for administrative operations.
3 STANDARDÂ
Account management includes requesting, issuing, modifying, and disabling all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology accounts. All account access considerations shall be made per the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Access Management Standard.
3.1 Account Creation
3.1.1 Before creating user accounts, the sponsoring unit or division shall verify the user’s affiliation with ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û.
3.1.2 Accounts are reserved for ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û faculty, staff, students, and applicants. Other individuals affiliated or otherwise needing ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û credentials shall request an account provisioned per the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Sponsored Account Standard.
3.1.3 Enterprise information technology account usernames shall conform to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û account username convention. • Accounts shall be provisioned following a role-based access scheme.
3.1.4Â The principle of least privilege shall be applied when provisioning accounts. Users shall not be granted any more privileges than necessary for functions the user will be performing.
- Non-privileged user accounts must be used and only elevated to root or Administrator when necessary. A secure mechanism to escalate privileges (e.g., via User Account Control or via sudo) with a standard account is acceptable to meet this requirement.
- Privileged accounts must not be used for non-privileged activities.
- ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û enterprise administrative accounts are reserved for ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees with a demonstrated needÂ
- All privileged account activity is required to be logged and monitored per the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Log management standard.
3.1.5 Vendor or contractor accounts requiring elevated privileges shall make arrangements per the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Sponsored Account Standard and/or the Exception process.
3.1.6Â There shall be one user associated with an account.
3.1.7 Account usage requires the account owners’ formal review acknowledging they have read and understood the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Acceptable Use Policy (AUP).
3.1.8Â Devices must be configured with separate accounts for privileged (administrator) and nonprivileged (user) access.
3.2 Account Management
ET&S shall establish and maintain an inventory of all information technology accounts managed within ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û.
- The inventory, at a minimum, shall contain the user’s first and last name, username, start/ stop dates, and department.
- When feasible, centralized authentication and account management shall be employed through the central ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û directory or identity service.
3.2.1 Account and Access Reviews
• All active ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û privileged accounts shall be authorized on a recurring schedule, at a minimum annually.
• Access modifications shall include valid authorization from appropriate administrative, academic, or business unit management and ET&S.
      o The Identity and Access Management team shall review active directory-privileged accounts.
      o The appropriate business unit leadership shall review local privileged/administrative accounts.
• The employee's manager is responsible for reviewing employee accounts and access privileges with ET&S upon job changes (e.g., termination, position changes).
3.3 Account Protection
• All accounts used to access ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û’s information technology resource shall comply with the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Password Policy.
• System administrator accounts shall use centralized authentication.
• Central authentication systems should lock user accounts in accordance with industry best practices.
• Administrators shall verify user identity prior to re-enabling or resetting user accounts.
• Multi-factor Authentication (MFA) shall be implemented with all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û administrator accounts. Exceptions will be granted based on operational need, such as a service account, or through the exception process.
• In some cases, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û users may be asked to provide identify verification when working with the ET&S team to validate the correct user and help prevent identity theft and/or fraud.
3.4 Disabling and Deletion of Accounts
- Accounts out of compliance with the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Password Policy will be disabled and may be deleted.
- All user accounts must be deprovisioned, and access attributes removed immediately upon separation unless a prior exception is in place. o Faculty leaving ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û in good standing may request access for up to 90 days past their last day of employment.
 o ET&S will assist users with data transfer upon request.
• Self-service mechanisms may not be used to re-enable the account.
3.5 Local Administrative Accounts
In adherence to the cybersecurity principle of least privilege, ET&S will not enable local administrative rights on ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û-owned systems by default. Individuals needing elevated privileges submit an exception request with a business justification.
DOCUMENT HISTORY
- Drafted: ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity GRC Reviewed by: ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity Committee
- Revision History: K Sweeney, December 14, 2023, section 4.3
- K Sweeney, May 30, 2024, formatting
- Approved by: Thomas Nudd, Chief Information Security Officer