Body
Issue/Question
What is the USD security policy for Account Management
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Account Management
Policy Statement: The University acknowledges the importance of effective account management in maintaining the security and integrity of its information systems. This policy establishes guidelines for managing user accounts to ensure authorized access, minimize security risks, and protect University resources.
Policy Implementation:
-
User Account Provisioning:
- User accounts will be created for individuals who require access to University systems and resources for legitimate business purposes.
- Account provisioning procedures will include verification of user identity, approval from appropriate authorities, and assignment of access privileges based on job roles and responsibilities.
- Account inventory and management should occur in an enterprise IAM system. This system should track, inventory, and govern all account types at USD.
-
Access Control:
- Access to University systems and data will be granted based on the principle of least privilege, ensuring that users have only the access necessary to perform their job functions.
- Access controls will be enforced through authentication mechanisms, access permissions, and role-based access control (RBAC) where appropriate.
-
User Authentication:
- Strong authentication measures will be implemented to verify the identity of users accessing University systems, including passwords, multi-factor authentication (MFA), biometric authentication, or token-based authentication.
- Password policies will be enforced to ensure that passwords are strong, regularly updated, and not shared with unauthorized individuals.
-
Account Review and Monitoring:
- Regular reviews of user accounts will be conducted to ensure that access privileges are appropriate and aligned with current job responsibilities.
- Account activity will be monitored for suspicious behavior, unauthorized access attempts, or deviations from normal usage patterns.
-
Account Termination:
- User accounts associated with terminated employees, students, or contractors will be promptly deactivated or removed to prevent unauthorized access to University systems and data.
- Account termination procedures will include revoking access privileges, disabling accounts, and securely archiving or deleting account data as appropriate.
Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in account management activities.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of account management practices.
This policy provides a framework for implementing CIS Control 5 within a university environment, focusing on effective account management practices to ensure authorized access, minimize security risks, and protect University resources.
Please contact the Service Desk if you need further assistance