Account Administration Security

  • Procedure Type: Information Technologies
  • Procedure Title: Account Administration Security
  • Procedure Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Technologies & Resources
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Objective
In accordance with the Information Security and Acceptable Use Policy and to ensure authorized access and prevent unauthorized access to College Information Resources, accounts must be managed according to this procedure to ensure that access is limited to authorized users with valid need for access to specific resources and deactivated appropriately as roles and status change.

Centralized Authentication
When possible, computers and applications must be configured to utilize the Active Directory (AD) authentication system, via either secure web services, direct AD, or the Lightweight Directory Access Protocol (LDAP) protocol. Granting access via a role or membership in a security group is required when feasible.

Establishing Access
When establishing a local account (those created directly within an operating system or application, which cannot use the AD authentication system) reasonable steps should be taken to ensure the identity of the individual receiving an account should be named to match AD and/or email name.

Access Management
Access privileges will be assigned to not exceed the minimum necessary permission to perform job responsibilities. System owners are responsible for ensuring that access is authorized by the appropriate parties, with appropriate documentation, and that access is removed in a timely manner when a user no longer requires access. System owners should be able to produce records of accounts including the date, time, and source of most recent login, last password change, and access assigned to the account. Access lists should be reviewed at least semi-annually in order to ensure that assignments of unnecessary access are removed.

Account Expiration
When technically possible, accounts must be configured to disable automatically unless extended, based upon periodic review. For example, the account for a contractor who will be employed for 6 months should automatically disable after 6 months unless the business contract is extended. OCC Contract owners are responsible for immediate IT Department notification of contractors who leave before contract expiration date

Change Log

  • 07-01-2018  Effective date

OCC Logo