USER ACCOUNT MANAGEMENT POLICY



Similar documents
IT-P-001 IT Helpdesk IT HELPDESK POLICY & PROCEDURE IT-P-001

IT BACKUP POLICY AND PROCEDURES IT-P-005

Account Management Standards

Assigning Severity Codes

Access Control Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Information Technology Branch Access Control Technical Standard

Estate Agents Authority

PATCH MANAGEMENT POLICY IT-P-016

Procedure Manual. Number: A6Hx2-8.01a. Title: College Network and Software Usage by Employees. Policy Number: 6Hx of 21

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

State of South Carolina Policy Guidance and Training

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Securing Adobe PDFs. Adobe - Certified Document Services Registration Authority (RA) Training. Enterprise Security. ID Verification Services

Qualified Electronic Signatures Act (SFS 2000:832)

Broker Registration Guide for TrustFunds Authentication A- B- C Registration Steps

Information Security Operational Procedures

I. Purpose. Definition. a. Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

Authorized Subscribers

Certification Practice Statement

Danske Bank Group Certificate Policy

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

MEMORANDUM OF UNDERSTANDING

PROMEDICA FEDERAL CREDIT UNION 2301 W. Central Avenue Toledo, OH (419)

Supplier IT Security Guide

Security Annex for 2FA Additional Terms for Two Factor Authentication Service

DHHS Information Technology (IT) Access Control Standard

ICT USER ACCOUNT MANAGEMENT POLICY

Distance Education Policies and Procedures

Online Service Agreement for Business Accounts

Privacy Policy documents for

wvoasis Vendor Self Service Registration Quick Start Guide Release

Vehicle Security Professional Registry -- Frequently Asked Questions in Canada

Server Security Checklist (2009 Standard)

Introduction to NemID and the NemID Service Provider Package

How To Use Allnet Configuration Utility On A Pc Or Mac Or Ipad (Powerline) With A Powerline (Powerbook) With Powerline 2.5 (Powerbee) With An Ipad Or Powerplug (Powerplug) With

Type of Personal Data We Collect and How We Use It

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

Service Description. 3SKey. Connectivity

BUSINESS ONLINE BANKING QUICK GUIDE For Company System Administrators

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Using LDAP Authentication in a PowerCenter Domain

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Managing Users, Roles, and Domains

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Kroger Supplier Information Management System (SIM) Training Documentation

RemotelyAnywhere Getting Started Guide

IT Operations User Access Management Policies

The purpose of Mohawk College s Purchasing Card Policy ( policy ) is to:

Donate Life Promotion Facebook/Twitter/Instagram/Rafflecopter April 9 May 1, 2015 Official Rules PLEASE READ THE OFFICIAL RULES CAREFULLY.

HKUST CA. Certification Practice Statement

Novell ZENworks Asset Management 7.5

Security First Bank Consumer Online Banking Information Sheet, Access Agreement and Disclosures

Microsoft Dynamics GP 2010

Policies of the University of North Texas Health Science Center. Chapter 14 UNT Health Credentialing and Privileging Licensed Practitioners

First initial of their first name Last name sign Client ID (selected by Client upon isi set-up)

I. Register/ Sign Up 1. Visit 2. Choose Sign Me Up!

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

Data Management Policies. Sage ERP Online

Contact Us. Information We Collect. Petzi s Privacy Policy: Last Updated: October 8, 2015

How to Access and Redeem Cisco Certification Exam Discount Vouchers

Online GDR System VENDOR USER GUIDE

Shipping Administration Getting Started Guide

Security Digital Certificate Manager

Security Digital Certificate Manager

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Standard CIP 007 3a Cyber Security Systems Security Management

Ericsson Group Certificate Value Statement

Strategic Identity Management for Industrial Control Systems

ClubRunner Event Payment Setup Guide

The Comprehensive Guide to PCI Security Standards Compliance

MULTI-FACTOR AUTHENTICATION SET-UP

Standard CIP Cyber Security Systems Security Management

Internet Banking Internal Control Questionnaire

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

HP Service Manager. Process Designer Content Pack Processes and Best Practices Guide

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

Microsoft Dynamics GP Release. Workflow Administrator s Guide

Getting Started with StoreGrid Cloud

Transcription:

USERS ACCOUNT MANAGEMENT POLICY f A member of ~~ INTCRNAT 0: ~t, UNIVCRSITICS' USER ACCOUNT MANAGEMENT POLICY IT-P-010 Date: March 3, 2014

USERS ACCOUNT MANAGEMENT POLICY f. Amemberof.olilllll ' INTtRN ~T. O:-<Ac, I Ul\, ERSITI ~S' Users Account Management Policy Department of Information Technology Purpose The purpose ofthis Policy is to establish the rules for the requesting, reviewing, approving, maintaining and terminating user accounts. User access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorized use. Formal procedures must control how access to information is granted and how such access is changed. Scope This policy applies to all users of STIU's information assets to include all divisions, departments, business units, vendors, consultants, subcontractors, staff, faculty or students regardless of geographic location. This policy covers all information assets operated by STIU or those contracted with third parties by STIU. The term "information asset" defines electronic and non-electronic assets and includes, but it is not limited to all documentation, business processes, data, products, hardware (e.g. desktop, network devices), and software. Procedure Information Responsible Office: Department of Information Technology, Stamford International University Issued Date: March 3, 2014 2

f A member of ~I ln. U.NAT'O' ~, I UN:ICRSI l ~ Revision History Revision Number Document Number 00 IT-P-009 01 IT-P-010 Description Effective Date New Release December 24, 2013 Release 1 March 3, 2014 3

Tt..e Orff erpnc e,.r R.n..( f. A member of.<iiiii I : II':T [RNI\~!C>" l, I UNIV[R51TII IT-P-010 Contents Users Account Management Policy.............. 2 Pu rpose...... 2 Scope... 2 Procedure Information......... 2 Revision History...... 3 Recommendation and Approvals... 5 User Access Management...... 6 User Identification... 6 User Verification/ Registration...,... 6 User ID Composition.............. 7 Generic Accounts...... 7 Default System Accounts...... 7 Privileged Accounts... 7 Least Privileges......... 7 User Transfer/Termination Standard...... 8 Notification... 8 Revocation... 8 User Job/Function Change Notification... 8 Termination Report...... 9 Password Management...... 9 4

f Amemberof.oillll INTCRNAT<)~'IL, : ljt JERSITifS' Recommendation and Approvals Name: Position: Date: Stella Root Business Analyst March 3, 2014 Approved by: ~ --------------------- - -- ----- Name: Sourjya Sankar Sen Position: Director, Information Technology Date: March 3, 2014 s~ )[L_ Name: Position: Date: Gilles Mahe CEO, Stamford International University March 3, 2014 ---~~- -s_. Name: Position: Date: Dr. Boonmark Sirinaovakul President, Stamford International University March 3, 2014 5

, A member of ~I "mrniit;qnat, I Ul\' l f RSITICS' User Access Management All internal and external users should be uniquely identified and authenticated prior to accessing STIU's information assets in order to provide accountability for the user's actions. The IT Department shall ensure that appropriate access controls are implemented to protect all of STIU's information assets. Access to information assets should be permitted only for validated business roles, responsibilities, and requirements and should be formally authorized by HR Department. Users should be associated with roles that should only have the minimum access rights and privileges needed to perform a particular function or transaction. Users should be prevented from gaining access to information assets for which they do not possess a validated business requirement. User Identification Access to STIU information assets should be restricted to authorized users only. The designated owner of the information asset should authorize role entitlements only on a 'need to know' basis and users should be associated with these roles. IT and HR Departments should verify user's identity as a condition for providing them with access to STIU information assets. This policy establishes STIU's user account management policy for administering the accounts of system users to include accounts, passwords, privilege management, and user transfer/termination. User Verification/Registration HR department should submit a request for user access for each new user. An "Employee Setup Request Form" should be used to document the user access request. Requests from unauthorized users should be returned to the requestor. The following guidelines should be followed in registering authorized users: No users are to be provided access without a request from HR Department; User access rights must be reviewed to ensure that the appropriate rights are still allocated; 6

Amemberof, INTCF'NATION \L UN!VfPSI"IfS" User ID Composition Each new user should be assigned a unique User ID generated by the IT Department based on user's First and Last names. Generic Accounts A "generic" user account that is designated for use by either multiple users, anonymous users and/or departments, without enabling individual authentication and accountability, is not allowed. Exceptions to this policy require the documented approvals from both the owner ofthe information asset or business process, and from IT Department Director. Default System Accounts The default accounts shipped with software should be disabled unless doing so would cause the software to malfunction. Immediately upon installation, if technically feasible, all administrator equivalent user accounts should be renamed and password should be changed or disabled/removed if not required. Privileged Accounts Users that are granted privileged access (i.e., access to system security mechanisms, etc.) will use a different unique account name assigned to a unique user when exercising those privileges. Otherwise, a user id with more standard privileges should be utilized. Users will: Maintain one ID with normal user privileges for everyday use. Maintain at least 1 additionalid solely for exercising higher system privileges. Least Privileges Privileges should be provided to align risk commensurate with that which is necessary to conduct business. This should be accomplished by minimizing the access rights and privileges of users to the level needed to complete their assigned and approved responsibilities. The level of systems access granted to any user should be appropriate for the business purpose. 7

f A member of ~I, INTrRNAr;m ", I UNIVfRSrT!l.S' User Transfer/Termination Standard This section establishes the standard process to be followed, in the event an authorized use r is terminated or transferred. Designated user managers and the HR Department are required to inform the IT Department immediately of changes in the employee's job function and/or employment termination in order to ensure that access privileges are appropriately adjusted in a timely manner. Detailed procedures should be developed and followed for user transfer and termination process. Notification The institution's management will notify the HR Department of any changes in personnel status. Then HR will notify the IT Department within a reasonable time frame upon the resignation, termination or transfer of users to ensure that their access to critical applications is revoked or adjusted as needed. Revocation Upon a user's termination or resignation, user IDs and passwords associated with that user should be disabled immediately. User Job/Function Change Notification The institution's management will notify the HR Department of any function changes in personnel status. Then HR will notify the IT Department within a reasonable t ime frame following the employee job/function change or transfer of users to ensure that their access to critical applications is revoked or adjusted as needed. 8

A memberof, laureate IKTLRNAT C' '\t UNIV RSITI(5" Termination Report The termination report generated by HR Department will be obtained and reviewed periodically by IT department. A ticket will be generated in the HelpDesk system three times a year to review the accounts against HR records of active/terminated employees. All user access rights belonging to terminated employees that are still active should be disabled immediately. Password Management All STIU information assets should be protected by the appropriate authent ication controls. Passwords are the most common form of the authentication controls for electronic information assets. Users should supply valid use r-id and password in order to be granted access to the STIU electronic information assets. Additional details regarding password settings, standards and management has been defined in the STIU Security Policy. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information