IT Security Standard: Managing Computer Accounts

Brief Description:

This standard addresses the management and review of computer accounts to maintain access control on all systems.  These standards apply to anyone who has a campus computer account such as faculty, staff, students, parents, alumni, vendors, volunteers, affiliates, and members of the public. 

Related Policy:

• Cal Poly Information Security Program (ISP)
• Cal Poly Information Technology Responsible Use Policy
• CSU Information Security Policy (ISO Domain 9: Access Control)

Introduction:

This standard exists to ensure that access to computer systems is appropriately requested, approved, granted, terminated, and reviewed on a regular basis.  Management of computer accounts is critical in protecting sensitive data and minimizing risks to our university.

Scope:

This standard applies to all computer systems in all campus departments.  This includes, but is not limited to, access granted by system accounts, application accounts, or database accounts.  This access is critical when dealing with Level 1 and Level 2 data as defined in the Cal Poly Information Classification and Handling Standard.

The target audience is anyone who has responsibility for requesting, approving, terminating, using, and reviewing computer accounts. 

Standard:

Required:

1. A user account must only be used by the person to whom it is assigned. 
2. The processes to create and terminate user accounts must be approved and documented by an authorized owner of the system, application, or database.  A list of authorized owners must be documented and maintained.   
3. Nobody is allowed to authorize their own access.   Administrators who have access to add or elevate their own privileges must have mitigating procedures in place for logging changes to production systems containing Level 1 and Level  2 data.
4. Follow the principle of least privilege.  Do not authorize administrative access to someone who does not require this. 
5. User account access to view, change or delete information must be disabled or deleted when no longer required.  This can be accomplished through changes in authorization (privileges granted to an account) or removal of the account itself if no privileges are required. 
6. Periodic reviews and documented signoffs of Cal Poly employee user accounts providing access to Level 1 or Level 2 data must be performed on a regular basis, at least annually.  Annual signoffs on automated processes for populations such as students or alumni can be done if the process is approved by the ISO.  Triggering events require immediate review of access be performed by the Authorized Owner or appropriate approving authority.  These events include position change or termination.
7. User accounts can be suspended at any time if requested by an appropriate representative in the respective department or College, the Chief Information Officer, or Information Security Officer.  Unless otherwise authorized, a user’s account must be disabled by the user’s last day of employment or other relationship with the University.

Recommended:

1. Disable accounts with access to Level  1 or Level  2 data that have not been accessed since the last required review period.
2. Administrator accounts should only be used for tasks that require administrative privileges.
3. System Administrators must take care to ensure that user access is approved and necessary for operational purposes.

Definitions:

Administrator Accounts – System accounts with privileges that allow one to perform super-user functions such as performing installs, altering critical system configurations or data, granting permissions to other accounts, etc.  These accounts are often used by malicious attackers to compromise systems.

Responsibilities: 

Authorized Owner – Overall responsibility for system, application, or database access which includes processes and procedures for maintaining and reviewing computer accounts.

System Administrator – Responsible for the creation of computer accounts upon approval by Authorized Owners.  Responsible for the termination or suspension of computer accounts.

User – Anyone who has a computer account.  Responsible for adhering to campus security policies and standards.

Non-Compliance and Exceptions:

Systems may be scanned or physically examined for compliance with this standard at any time. Systems found in non-compliance with this standard may be removed from the network until they do comply.

If it is technically infeasible for an information asset to meet this standard, departments must submit a request for exception to the Vice Provost/CIO and Information Security Officer for review and approval.

Related Procedures and Resources:

• IT Security Standard: Passwords
• IT Security Standard: Computing Devices
• Cal Poly Information Classification and Handling Standard
• Principle of Least Privilege
• IT Policy/Security Standard Exception Request Process

Implementation

Effective Date:	9/30/2010
Review Frequency:	Annual
Responsible Officer:	Vice Provost/Chief Information Officer

Revision History

Date	Action	Pages
9/30/2010	Initial document released	All
5/25/2022	Updated CSU Policy number	All