User Account and Access Management Policy

Last Reviewed: October 6, 2022
Last Revised: October 6, 2022

1. Introduction

   Computer accounts are the means used to grant access to the University of Denver (“University”) Information Resources. These accounts provide accountability, a key to any computer security program, for information resource usage. Creating, controlling, and monitoring all computer accounts and their access is essential to the University’s security program.

2. Policy Overview
   1. Purpose
      This policy establishes the rules for creating, monitoring, controlling, and removing accounts.
   2. Scope
      This policy applies to the University’s students, faculty, staff, consultants, contractors, agents, and authorized users accessing the University’s information resources.
   3. Policy
      The University shall establish a process:
      1. For requesting, approving, issuing, and closing user accounts.
      2. To assign access privileges based on the principle of least privilege.
      3. To periodically review user access.
          
3. Process Overview
   1. Account Management Requirements
      1. User account requests must be formally documented and appropriately approved.
      2. All users must use a unique ID to access University systems and applications. Passwords shall be set following the University’s Password Management Policy.
      3. User’s identity must be verified before executing a password reset.
      4. User accounts and access rights must be reviewed annually to detect unused or dormant accounts and accounts with excessive privileges.
      5. Accounts of individuals on extended leave (more than 90 days) shall be disabled.
      6. Users must complete security awareness training within 30-days of account activation/matriculation.
      7. User accounts must follow the University’s documented account termination procedures.
      8. User accounts must be monitored for inappropriate use and activity.
          
   2. Access Management Requirements
      1. The University will provide access privileges to the University’s technology (including networks, systems, applications, computers, and mobile devices) based on the following principles:
         1. Business needs – users or resources will be granted access to systems necessary to fulfill their roles and responsibilities.
         2. Least privilege – users or resources will be provided with the minimum privileges necessary to fulfill their roles and responsibilities
      2. Access requests for all accounts and permissions, including privileged and limited user accounts, must be documented using the banner access request process or the ticketing system.
      3. Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
      4. Access to University systems and applications must use multifactor authentication (MFA), where technically feasible and practical.
      5. Remote access must be authorized. MFA is required for all remote access to University systems and services, and connections must be monitored and additional alerts enabled.
      6. System sessions must automatically lock after 15 minutes of inactivity where feasible and practical. The inactivity timer for applications shall be set to 8 hours.
      7. University systems shall enforce a limit of 5 or fewer consecutive invalid login attempts by a user and lock the offending account for 15 minutes.
      8. Access rights shall be disabled or removed when the user is terminated or ceases to have a legitimate reason to access University systems.
      9. User account access must be reviewed annually to determine if access rights are still needed. Changes to account access rights must be approved and documented.
      10. University IT is responsible for managing access to applications and services. Exceptions must be documented, reviewed, and approved by the CISO, CIO, or their designee.
      11. All account access must be continuously monitored and reviewed.
           
   3. Contractors and Vendors Accounts
      University contracts with vendors and contractors to support business processes and functions, manage systems and applications and perform tasks on behalf of the University.
       
      1. Shall have signed a Non-Disclosure Agreement before providing access.
      2. Shall maintain a list of contractors or vendors’ accounts having access to University systems.
      3. Shall automatically expire after 180 days; extensions must be requested and documented.
      4. Shall use MFA where feasible.
      5. Shall be monitored and reviewed quarterly.
      6. Shall follow the University’s account termination procedures when no longer needed.
      7. Shall have a passphrase with a minimum of 15 characters
          
   4. Limited Access Accounts (ex. Alumni Accounts)
      Individuals with special relationships with the University, such as alumni, retired faculty and staff, or official visitors, who are neither employed nor enrolled at the University, may be granted limited access privileges:
       
      1. Shall accept terms of use
      2. Shall be approved by the special community access request process
      3. Shall automatically be disabled after 90 days of inactivity
      4. Shall automatically be deleted after 365 days
      5. Shall be locked after five (5) failed login attempts and must be manually unlocked
      6. Shall require the use of MFA where feasible
      7. Shall have a passphrase with a minimum of 15 characters
          
   5. Privileged Accounts
      Privileged accounts typically have additional access that allows users to configure systems and applications or add or remove user access rights. There are several types of privileged accounts – Administrator, Service, Default, Shared, and Test accounts.
       
      1. Privileged user accounts must be requested by managers or supervisors and appropriately approved.
      2. Where possible, all default user accounts will be disabled or changed. These accounts include “guest,” “temp,” “admin,” “Administrator,” and any other commonly known or used default accounts, as well as related default passwords used by vendors on “commercial off-the-shelf” systems and applications.
      3. The creation, modification, or deletion of a privileged account shall trigger an alert. Alerts shall be generated when a privileged account fails to log in 5 times.
      4. Quarterly report of all privileged accounts shall be reviewed by IT management

         
         Administrator Accounts

      • System administrators must use a separate administrator account to perform system-related duties
        • Shall read and sign the Administrator Code of Conduct and IT management approval
        • Shall follow the naming standard for Administrator accounts
        • Shall be approved by IT management
        • Shall not be email-enabled
        • Shall require the use of MFA where possible
        • Shall have a passphrase with a minimum length of 20 characters
        • Shall be locked after five (5) failed attempts and must be manually unlocked
        • Shall follow account termination procedures when no longer needed.
        • Shall be reviewed at least annually
        • Shall be monitored and alerted on

        Service Accounts

      • Service accounts are typically non-human accounts used by systems and applications to interact and communicate with each other:
      • Service accounts must only be used by application components requiring authentication; access to the passwords must be restricted to authorized IT administrators or application developers only.
        • Shall follow the naming standard for service accounts
        • Shall be unique for each application or service
        • Shall have a complex system-generated password with a minimum of 30 characters that does not expire
        • Shall be tracked and documented in the approved password management tool
        • Shall be reviewed at least annually
        • Shall be monitored and alerted on
           

        Default Accounts

      • Default accounts are built-in or system accounts such as ‘Administrator’ in Windows or ‘Root’ on Linux.”
        • Shall have complex passwords with a minimum of 30 characters
        • Shall not be email-enabled
        • Shall be reviewed, at a minimum, monthly
        • Shall be tracked and documented in the approved password management tool
        • Shall be monitored and alerted on
         

        Shared Accounts

      • Shared or “generic” accounts are human user accounts created when it is not practical or feasible to create a unique user account. These accounts should be rare and require additional monitoring
      • Shared accounts must be approved by IT management.
      • Shared accounts must have a designated owner. The owner is responsible for providing and maintaining the required documentation justifying the need for a shared account and a list of individuals with access to the account.
      • When shared accounts are required:
        • Shall follow the naming standard for shared accounts.
        • Shall have a complex system password with a minimum of 30 characters.
        • Shall be required to change passwords every 30 days
        • Shall be locked after five (5) failed attempts and manually unlocked.
        • Shall be reviewed monthly.
        • Shall not be email-enabled
        • Shall be monitored continuously

      Test Accounts

      • Test accounts can only be created if they are justified by the relevant business area or project team and approved by the application owner through a formal request to the IT management.
      • Test accounts must have an expiry date (maximum of 180 days). Maintaining test accounts beyond this date must be re-evaluated every 90 days and approved appropriately.
      • Test accounts will be disabled / deleted when they are no longer necessary.
      • All user accounts and access shall be appropriately authorized and documented before accounts are created and access is provided.
      • When test accounts are required
        • Shall follow the naming standard for test accounts.
        • Shall have a complex system password with a minimum of 30 characters.
        • Shall be required to change passwords every 30 days
        • Shall be locked after five (5) failed attempts and manually unlocked
        • Shall not be email-enabled unless explicitly required
        • Shall be monitored continuously
           
   6. Exceptions
      Exceptions to this policy must be reviewed and approved by IT management.
       
4. Definitions

• Users – are students, employees, consultants, contractors, volunteers, agents, and authorized users accessing University IT systems and applications.
• Access Privileges - systems permissions associated with an account, including permissions to access or change data, process transactions, create or change settings, etc.
• Administrator Account – a user account with privileges with advanced permissions on an IT system that are necessary for the administration of this system. For example, an administrator account can create new users, change account permissions, modify security settings such as password settings, modify system logs, etc.
• Service Accounts – user accounts not associated with a person but with an IT system, an application, a database (or a specific part of an application), or a network service.